cyber-dojo
flows
runner-archived-at-1709658802
artifacts
43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
runner-archived-at-1709658802
Test runner
cyberdojo/runner:f9866a8
Non-compliant
Download Evidence Package
JSON
{ "created_at": 1699707158.347533, "fingerprint": "43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d", "filename": "cyberdojo/runner:f9866a8", "git_commit": "f9866a8966765f3295b8d8fc864c1fce6b390555", "build_url": "https://github.com/cyber-dojo/runner/actions/runs/6834327247", "commit_url": "https://github.com/cyber-dojo/runner/commit/f9866a8966765f3295b8d8fc864c1fce6b390555", "evidence": { "branch-coverage": { "evidence_type": "generic", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/runner/actions/runs/6834327247", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 15, "missed": 37, "total": 52 }, "lines": { "covered": 257, "missed": 85, "total": 342 } }, "code": { "branches": { "covered": 6, "missed": 0, "total": 6 }, "lines": { "covered": 129, "missed": 0, "total": 129 } }, "test": { "branches": { "covered": 5, "missed": 0, "total": 5 }, "lines": { "covered": 529, "missed": 0, "total": 529 } } }, "timestamp": 1699707208 }, "server": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 33, "missed": 19, "total": 52 }, "lines": { "covered": 333, "missed": 25, "total": 358 } }, "code": { "branches": { "covered": 64, "missed": 2, "total": 66 }, "lines": { "covered": 558, "missed": 1, "total": 559 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 963, "missed": 0, "total": 963 } } }, "timestamp": 1699707160 } }, "created_at": 1699707210.434103, "has_audit_package": false }, "snyk-scan": { "evidence_type": "snyk", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6913041804", "evidence_archive_fingerprint": "b0df7042e955b0c03a6e083ad1f6fc71850df2dac1117aa4956d11939bab6960", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/containerd/containerd/cmd/containerd", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd-shim-runc-v2", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/containerd/containerd/cmd/containerd-shim-runc-v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd-shim-runc-v2", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd-shim-runc-v2", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/ctr", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/containerd/containerd/cmd/ctr", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/ctr", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/ctr", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 3, "displayTargetFile": "/usr/local/bin/docker-proxy", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/docker-proxy", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 834, "displayTargetFile": "/usr/local/bin/dockerd", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:46:34.673Z", "expires": "2023-12-11T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/docker@*", "golang.org/x/net/http2@v0.10.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.10.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2023-12-11T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/docker@*", "google.golang.org/grpc@v1.50.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.50.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2023-12-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2023-12-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2023-12-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/bin/dockerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 753, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:46:34.673Z", "expires": "2023-12-11T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/compose/v2@*", "golang.org/x/net/http2@v0.12.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.12.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2023-12-11T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/compose/v2@*", "google.golang.org/grpc@v1.58.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.58.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2023-12-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2023-12-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2023-12-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/docker/compose/v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/compose/v2", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 733, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:46:34.673Z", "expires": "2023-12-11T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/buildx@*", "golang.org/x/net/http2@v0.8.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.8.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2023-12-11T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/grpc@v1.53.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.53.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2023-12-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2023-12-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2023-12-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/docker/buildx", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/buildx", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 102, "docker": { "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [ false, "openssl/openssl@3.1.4-r0" ], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "ca-certificates/ca-certificates@20230506-r0", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "apk-tools/apk-tools@2.14.0-r2", "openssl/libssl3@3.1.3-r0", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [ false, "openssl/libssl3@3.1.4-r0" ], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "apk-tools/apk-tools@2.14.0-r2", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "busybox/ssl_client@1.36.1-r2", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "krb5-conf/krb5-conf@1.0-r2", "krb5/krb5-libs@1.20.1-r1", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "ruby/ruby@3.2.2-r0", "ruby/ruby-libs@3.2.2-r0", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/libcrypto3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [ false, "openssl/libcrypto3@3.1.4-r0" ], "version": "3.1.3-r0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/runner:f9866a8", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8", "severityThreshold": "medium", "summary": "18 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 1, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [ false, "openssl/openssl@3.1.4-r1" ], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "ca-certificates/ca-certificates@20230506-r0", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "apk-tools/apk-tools@2.14.0-r2", "openssl/libssl3@3.1.3-r0", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [ false, "openssl/libssl3@3.1.4-r1" ], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "apk-tools/apk-tools@2.14.0-r2", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "busybox/ssl_client@1.36.1-r2", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "krb5-conf/krb5-conf@1.0-r2", "krb5/krb5-libs@1.20.1-r1", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "ruby/ruby@3.2.2-r0", "ruby/ruby-libs@3.2.2-r0", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/libcrypto3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [ false, "openssl/libcrypto3@3.1.4-r1" ], "version": "3.1.3-r0" } ] }, "created_at": 1700298806.8413208, "has_audit_package": true } }, "git_commit_info": { "sha1": "f9866a8966765f3295b8d8fc864c1fce6b390555", "message": "Update .snyk file", "author": "JonJagger <jon@kosli.com>", "timestamp": 1699707033, "branch": "main" }, "repo_url": "https://github.com/cyber-dojo/runner", "template": [ "artifact", "branch-coverage", "snyk-scan" ], "last_modified_at": 1700298806.8413208, "deployments": [ 57, 56 ], "state": "NON-COMPLIANT", "html_url": "https://app.kosli.com/cyber-dojo/flows/runner-archived-at-1709658802/artifacts/43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d", "api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/runner-archived-at-1709658802/fingerprint/43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d" }
Artifact Information |
|
Name | cyberdojo/runner:f9866a8 |
Fingerprint | 43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d |
Git commit |
f9866a8
JonJagger <jon@kosli.com> (main)
1699707033.0 • 5 months ago
Update .snyk file
|
CI Build | https://github.com/cyber-dojo/runner/actions/runs/6834327247 |
Running | - |
Exited | aws-beta#2226 aws-prod#1437 |
Last modified | 1700298806.8413208 • 5 months ago |
Approvals
None |
Evidence
Evidence for 'branch-coverage'
{ "evidence_type": "generic", "name": "branch-coverage", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/runner/actions/runs/6834327247", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 15, "missed": 37, "total": 52 }, "lines": { "covered": 257, "missed": 85, "total": 342 } }, "code": { "branches": { "covered": 6, "missed": 0, "total": 6 }, "lines": { "covered": 129, "missed": 0, "total": 129 } }, "test": { "branches": { "covered": 5, "missed": 0, "total": 5 }, "lines": { "covered": 529, "missed": 0, "total": 529 } } }, "timestamp": 1699707208 }, "server": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 33, "missed": 19, "total": 52 }, "lines": { "covered": 333, "missed": 25, "total": 358 } }, "code": { "branches": { "covered": 64, "missed": 2, "total": 66 }, "lines": { "covered": 558, "missed": 1, "total": 559 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 963, "missed": 0, "total": 963 } } }, "timestamp": 1699707160 } }, "created_at": 1699707210.434103, "has_audit_package": false }
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6913041804", "evidence_archive_fingerprint": "b0df7042e955b0c03a6e083ad1f6fc71850df2dac1117aa4956d11939bab6960", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/containerd/containerd/cmd/containerd", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd-shim-runc-v2", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/containerd/containerd/cmd/containerd-shim-runc-v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd-shim-runc-v2", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd-shim-runc-v2", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/ctr", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/containerd/containerd/cmd/ctr", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/ctr", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/ctr", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 3, "displayTargetFile": "/usr/local/bin/docker-proxy", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/docker-proxy", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 834, "displayTargetFile": "/usr/local/bin/dockerd", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:46:34.673Z", "expires": "2023-12-11T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/docker@*", "golang.org/x/net/http2@v0.10.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.10.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2023-12-11T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/docker@*", "google.golang.org/grpc@v1.50.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.50.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2023-12-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2023-12-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2023-12-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/bin/dockerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 753, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:46:34.673Z", "expires": "2023-12-11T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/compose/v2@*", "golang.org/x/net/http2@v0.12.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.12.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2023-12-11T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/compose/v2@*", "google.golang.org/grpc@v1.58.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.58.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2023-12-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2023-12-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2023-12-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/docker/compose/v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/compose/v2", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 733, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:46:34.673Z", "expires": "2023-12-11T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/buildx@*", "golang.org/x/net/http2@v0.8.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.8.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2023-12-11T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/grpc@v1.53.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-17T08:50:14.177670Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.53.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2023-12-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2023-12-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2023-12-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/docker/buildx", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/buildx", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 102, "docker": { "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [ false, "openssl/openssl@3.1.4-r0" ], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "ca-certificates/ca-certificates@20230506-r0", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "apk-tools/apk-tools@2.14.0-r2", "openssl/libssl3@3.1.3-r0", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [ false, "openssl/libssl3@3.1.4-r0" ], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "apk-tools/apk-tools@2.14.0-r2", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "busybox/ssl_client@1.36.1-r2", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "krb5-conf/krb5-conf@1.0-r2", "krb5/krb5-libs@1.20.1-r1", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "ruby/ruby@3.2.2-r0", "ruby/ruby-libs@3.2.2-r0", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cpes": [], "creationTime": "2023-10-25T02:58:52.086118Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-10-26T11:01:48.943152Z", "severity": "high" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-10T01:10:44.205650Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "modificationTime": "2023-11-11T13:37:17.315978Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the "keylen" parameter or the IV length, via the "ivlen" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r0 or higher.\n## References\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/10/24/1)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [openssl-security@openssl.org](https://www.debian.org/security/2023/dsa-5532)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231024.txt)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231027-0010/)\n", "disclosureTime": "2023-10-25T18:17:43.613000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.28992", "probability": "0.00069" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:49:02.255Z", "expires": "2023-12-11T12:49:02.243Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "3.1.4-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/libcrypto3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6032386", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5363" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T13:37:17.315978Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.1.4-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-10-25T02:58:04.943927Z", "references": [ { "title": "http://www.openwall.com/lists/oss-security/2023/10/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { "title": "https://www.debian.org/security/2023/dsa-5532", "url": "https://www.debian.org/security/2023/dsa-5532" }, { "title": "https://www.openssl.org/news/secadv/20231024.txt", "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { "title": "https://security.netapp.com/advisory/ntap-20231027-0010/", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "CVE-2023-5363", "upgradePath": [ false, "openssl/libcrypto3@3.1.4-r0" ], "version": "3.1.3-r0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@sha256:43f8fb6bc4508c8c1f6cba450bd43958372d7a3f46b93186436e9fc3c403804d/runner:f9866a8", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-12-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8", "severityThreshold": "medium", "summary": "18 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 1, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [ false, "openssl/openssl@3.1.4-r1" ], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "ca-certificates/ca-certificates@20230506-r0", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "apk-tools/apk-tools@2.14.0-r2", "openssl/libssl3@3.1.3-r0", "openssl/openssl@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/openssl", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [ false, "openssl/libssl3@3.1.4-r1" ], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "apk-tools/apk-tools@2.14.0-r2", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "busybox/ssl_client@1.36.1-r2", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "krb5-conf/krb5-conf@1.0-r2", "krb5/krb5-libs@1.20.1-r1", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "ruby/ruby@3.2.2-r0", "ruby/ruby-libs@3.2.2-r0", "openssl/libssl3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libssl3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [], "version": "3.1.3-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-11-11T15:02:39.692607Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-08T13:48:19.543999Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-15T01:11:01.755232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nUpgrade `Alpine:3.18` `openssl` to version 3.1.4-r1 or higher.\n## References\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n", "disclosureTime": "2023-11-06T16:15:42.670000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12710", "probability": "0.00045" }, "exploit": "Not Defined", "fixedIn": [ "3.1.4-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f9866a8@*", "openssl/libcrypto3@3.1.3-r0" ], "id": "SNYK-ALPINE318-OPENSSL-6055795", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-5678" ], "CWE": [ "CWE-754" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-11-15T01:11:01.991077Z", "name": "openssl/libcrypto3", "nearestFixedInVersion": "3.1.4-r1", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "openssl", "patches": [], "publicationTime": "2023-11-11T15:02:39.705852Z", "references": [ { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" }, { "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" }, { "title": "https://www.openssl.org/news/secadv/20231106.txt", "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<3.1.4-r1" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Improper Check for Unusual or Exceptional Conditions", "upgradePath": [ false, "openssl/libcrypto3@3.1.4-r1" ], "version": "3.1.3-r0" } ] }, "created_at": 1700298806.8413208, "has_audit_package": true }