cyber-dojo
flows
nginx-archived-at-1707630884
artifacts
fb6db90b43ca080fa3874e5cb89bc8069f38aef0beb9f75910e5fb9f89394f75
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
nginx-archived-at-1707630884
Reverse proxy
cyberdojo/nginx:0844ab9
Non-compliant
Download Evidence Package
JSON
{ "created_at": 1705052695.1805773, "fingerprint": "fb6db90b43ca080fa3874e5cb89bc8069f38aef0beb9f75910e5fb9f89394f75", "filename": "cyberdojo/nginx:0844ab9", "git_commit": "0844ab9c93f7aa8daef54084f8d37dfa4f4caafb", "build_url": "https://github.com/cyber-dojo/nginx/actions/runs/7500459469", "commit_url": "https://github.com/cyber-dojo/nginx/commit/0844ab9c93f7aa8daef54084f8d37dfa4f4caafb", "evidence": { "snyk-scan": { "evidence_type": "snyk", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/7774026539", "evidence_archive_fingerprint": "dec9721e64d3df55e2e37ffaf81e98b1e1d899271bbc222b374d6a1dbc3ac221", "user_data": {}, "snyk_results": { "dependencyCount": 65, "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@sha256:fb6db90b43ca080fa3874e5cb89bc8069f38aef0beb9f75910e5fb9f89394f75/nginx:0844ab9", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9", "severityThreshold": "medium", "summary": "13 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 1, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [ false, "openssl/libcrypto3@3.0.12-r4" ], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "apk-tools/apk-tools@2.12.10-r1", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "busybox/ssl_client@1.35.0-r29", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "ca-certificates/ca-certificates@20230506-r0", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "curl/libcurl@8.5.0-r0", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "nginx/nginx@1.24.0-r1", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "nginx-module-njs/nginx-module-njs@1.24.0.0.7.12-r1", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "busybox/ssl_client@1.35.0-r29", "openssl/libssl3@3.0.12-r2", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "openssl/libssl3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [ false, "openssl/libssl3@3.0.12-r4" ], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "apk-tools/apk-tools@2.12.10-r1", "openssl/libssl3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "curl/libcurl@8.5.0-r0", "openssl/libssl3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "nginx/nginx@1.24.0-r1", "openssl/libssl3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "busybox/ssl_client@1.35.0-r29", "openssl/libssl3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" } ] }, "created_at": 1707049665.9117918, "has_audit_package": true } }, "reported_by": "ci-pipelines", "git_commit_info": { "sha1": "0844ab9c93f7aa8daef54084f8d37dfa4f4caafb", "message": "CI: move to latest workflows", "author": "JonJagger <jon@kosli.com>", "timestamp": 1705052649, "branch": "main" }, "repo_url": "https://github.com/cyber-dojo/nginx", "template": [ "artifact", "snyk-scan" ], "last_modified_at": 1707049665.9117918, "deployments": [ 110, 109 ], "state": "NON-COMPLIANT", "html_url": "https://app.kosli.com/cyber-dojo/flows/nginx-archived-at-1707630884/artifacts/fb6db90b43ca080fa3874e5cb89bc8069f38aef0beb9f75910e5fb9f89394f75", "api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/nginx-archived-at-1707630884/fingerprint/fb6db90b43ca080fa3874e5cb89bc8069f38aef0beb9f75910e5fb9f89394f75" }
Artifact Information |
|
Name | cyberdojo/nginx:0844ab9 |
Fingerprint | fb6db90b43ca080fa3874e5cb89bc8069f38aef0beb9f75910e5fb9f89394f75 |
Git commit |
0844ab9
JonJagger <jon@kosli.com> (main)
1705052649.0 • 3 months ago
CI: move to latest workflows
|
CI Build | https://github.com/cyber-dojo/nginx/actions/runs/7500459469 |
Running | - |
Exited | aws-beta#2967 aws-prod#2098 |
Last modified | 1707049665.9117918 • 3 months ago |
Approvals
None |
Evidence
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/7774026539", "evidence_archive_fingerprint": "dec9721e64d3df55e2e37ffaf81e98b1e1d899271bbc222b374d6a1dbc3ac221", "user_data": {}, "snyk_results": { "dependencyCount": 65, "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@sha256:fb6db90b43ca080fa3874e5cb89bc8069f38aef0beb9f75910e5fb9f89394f75/nginx:0844ab9", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9", "severityThreshold": "medium", "summary": "13 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 1, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [ false, "openssl/libcrypto3@3.0.12-r4" ], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "apk-tools/apk-tools@2.12.10-r1", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "busybox/ssl_client@1.35.0-r29", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "ca-certificates/ca-certificates@20230506-r0", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "curl/libcurl@8.5.0-r0", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "nginx/nginx@1.24.0-r1", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "nginx-module-njs/nginx-module-njs@1.24.0.0.7.12-r1", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "busybox/ssl_client@1.35.0-r29", "openssl/libssl3@3.0.12-r2", "openssl/libcrypto3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "openssl/libssl3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [ false, "openssl/libssl3@3.0.12-r4" ], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "apk-tools/apk-tools@2.12.10-r1", "openssl/libssl3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "curl/libcurl@8.5.0-r0", "openssl/libssl3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "nginx/nginx@1.24.0-r1", "openssl/libssl3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-01-26T03:00:24.752243Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2024-01-25T13:59:48.995274Z", "severity": "low" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-03T01:11:14.382067Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.17` relevant fixed versions and status._\n\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Alpine:3.17` `openssl` to version 3.0.12-r4 or higher.\n## References\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [openssl-security@openssl.org](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8)\n- [openssl-security@openssl.org](https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20240125.txt)\n", "disclosureTime": "2024-01-26T09:15:07.637000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.08097", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "3.0.12-r4" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:0844ab9@*", "busybox/ssl_client@1.35.0-r29", "openssl/libssl3@3.0.12-r2" ], "id": "SNYK-ALPINE317-OPENSSL-6191691", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2024-0727" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-03T01:11:14.382067Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.0.12-r4", "nvdSeverity": "medium", "packageManager": "alpine:3.17", "packageName": "openssl", "patches": [], "publicationTime": "2024-01-26T03:00:24.767066Z", "references": [ { "title": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" }, { "title": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" }, { "title": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { "title": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { "title": "https://www.openssl.org/news/secadv/20240125.txt", "url": "https://www.openssl.org/news/secadv/20240125.txt" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.0.12-r4" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2024-0727", "upgradePath": [], "version": "3.0.12-r2" } ] }, "created_at": 1707049665.9117918, "has_audit_package": true }