cyber-dojo
flows
runner-archived-at-1709658802
artifacts
b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
runner-archived-at-1709658802
Test runner
cyberdojo/runner:a197c9e
Compliant
Download Evidence Package
JSON
{ "created_at": 1705055819.1447134, "fingerprint": "b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de", "filename": "cyberdojo/runner:a197c9e", "git_commit": "a197c9ead0c2671dd50f88bd2ea145c8a456038b", "build_url": "https://github.com/cyber-dojo/runner/actions/runs/7501019747", "commit_url": "https://github.com/cyber-dojo/runner/commit/a197c9ead0c2671dd50f88bd2ea145c8a456038b", "evidence": { "branch-coverage": { "evidence_type": "generic", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/runner/actions/runs/7501019747", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 15, "missed": 37, "total": 52 }, "lines": { "covered": 257, "missed": 85, "total": 342 } }, "code": { "branches": { "covered": 6, "missed": 0, "total": 6 }, "lines": { "covered": 129, "missed": 0, "total": 129 } }, "test": { "branches": { "covered": 5, "missed": 0, "total": 5 }, "lines": { "covered": 529, "missed": 0, "total": 529 } } }, "timestamp": 1705055859 }, "server": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 33, "missed": 19, "total": 52 }, "lines": { "covered": 333, "missed": 25, "total": 358 } }, "code": { "branches": { "covered": 64, "missed": 2, "total": 66 }, "lines": { "covered": 558, "missed": 1, "total": 559 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 963, "missed": 0, "total": 963 } } }, "timestamp": 1705055820 } }, "created_at": 1705055861.4070947, "has_audit_package": false }, "snyk-scan": { "evidence_type": "snyk", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/7511552703", "evidence_archive_fingerprint": "14fad23b2f52a7608f4a6c90cc79cf74e54d5963b32e8084a364474d33dad727", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/containerd/containerd/cmd/containerd", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd-shim-runc-v2", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/containerd/containerd/cmd/containerd-shim-runc-v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd-shim-runc-v2", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd-shim-runc-v2", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/ctr", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/containerd/containerd/cmd/ctr", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/ctr", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/ctr", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 3, "displayTargetFile": "/usr/local/bin/docker-proxy", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/docker-proxy", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 833, "displayTargetFile": "/usr/local/bin/dockerd", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected `chacha20-poly1305@openssh.com` encryption and `*-etm@openssh.com` MAC algorithms in the affected configuration, and use unaffected algorithms like `AES-GCM` instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97023", "probability": "0.43479" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/docker@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2024-01-01T09:00:03.647231Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-03-01T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/docker@*", "google.golang.org/grpc@v1.50.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.50.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/docker@*", "google.golang.org/protobuf/encoding/protojson@v1.28.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.28.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-03-01T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-03-01T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-03-01T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/bin/dockerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 753, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected `chacha20-poly1305@openssh.com` encryption and `*-etm@openssh.com` MAC algorithms in the affected configuration, and use unaffected algorithms like `AES-GCM` instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97023", "probability": "0.43479" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/compose/v2@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2024-01-01T09:00:03.647231Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/compose/v2@*", "google.golang.org/protobuf/encoding/protojson@v1.31.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.31.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-03-01T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-03-01T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-03-01T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/docker/compose/v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/compose/v2", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 723, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected `chacha20-poly1305@openssh.com` encryption and `*-etm@openssh.com` MAC algorithms in the affected configuration, and use unaffected algorithms like `AES-GCM` instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97023", "probability": "0.43479" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/buildx@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2024-01-01T09:00:03.647231Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-03-01T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/grpc@v1.53.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.53.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/protobuf/encoding/protojson@v1.30.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.30.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-03-01T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-03-01T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-03-01T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/docker/buildx", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/buildx", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 102, "docker": { "baseImage": "docker:24.0.7-dind-alpine3.18", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" }, "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "cpes": [], "creationTime": "2023-12-25T14:53:44.722360Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssh` package and not the `openssh` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.\n## Remediation\nUpgrade `Alpine:3.18` `openssh` to version 9.3_p2-r1 or higher.\n## References\n- [cve@mitre.org](https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42)\n- [cve@mitre.org](https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25)\n- [cve@mitre.org](https://github.com/openssh/openssh-portable/commits/master)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/tags)\n- [cve@mitre.org](https://gitlab.com/libssh/libssh-mirror/-/tags)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ)\n- [cve@mitre.org](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/)\n- [cve@mitre.org](https://matt.ucc.asn.au/dropbear/CHANGES)\n- [cve@mitre.org](https://www.bitvise.com/ssh-server-version-history)\n- [cve@mitre.org](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html)\n- [cve@mitre.org](https://www.openssh.com/openbsd.html)\n- [cve@mitre.org](https://www.openssh.com/txt/release-9.6)\n- [cve@mitre.org](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/)\n- [cve@mitre.org](https://www.terrapin-attack.com)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [cve@mitre.org](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst)\n- [cve@mitre.org](https://github.com/warp-tech/russh/releases/tag/v0.40.2)\n- [cve@mitre.org](https://thorntech.com/cve-2023-48795-and-sftp-gateway/)\n- [cve@mitre.org](https://twitter.com/TrueSkrillor/status/1736774389725565005)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/18/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/18/3)\n- [cve@mitre.org](https://github.com/paramiko/paramiko/issues/2337)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38684904)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38685286)\n- [cve@mitre.org](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6)\n- [cve@mitre.org](https://github.com/mwiede/jsch/issues/457)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-48795)\n- [cve@mitre.org](https://bugs.gentoo.org/920280)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2254210)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1217950)\n- [cve@mitre.org](https://github.com/advisories/GHSA-45x7-px36-x8w8)\n- [cve@mitre.org](https://github.com/drakkan/sftpgo/releases/tag/v2.5.6)\n- [cve@mitre.org](https://github.com/erlang/otp/releases/tag/OTP-26.2.1)\n- [cve@mitre.org](https://github.com/mwiede/jsch/pull/461)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/CVE-2023-48795)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/libssh2)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-48795)\n- [cve@mitre.org](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/)\n- [cve@mitre.org](https://github.com/libssh2/libssh2/pull/1291)\n- [cve@mitre.org](https://forum.netgate.com/topic/184941/terrapin-ssh-attack)\n- [cve@mitre.org](https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5)\n- [cve@mitre.org](https://github.com/rapier1/hpn-ssh/releases)\n- [cve@mitre.org](https://crates.io/crates/thrussh/versions)\n- [cve@mitre.org](https://github.com/NixOS/nixpkgs/pull/275249)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/releases/tag/v5.1)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22)\n- [cve@mitre.org](https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3)\n- [cve@mitre.org](https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/issues/456)\n- [cve@mitre.org](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC)\n- [cve@mitre.org](https://oryx-embedded.com/download/#changelog)\n- [cve@mitre.org](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update)\n- [cve@mitre.org](https://www.netsarang.com/en/xshell-update-history/)\n- [cve@mitre.org](https://www.paramiko.org/changelog.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/19/5)\n- [cve@mitre.org](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc)\n- [cve@mitre.org](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](https://github.com/apache/mina-sshd/issues/445)\n- [cve@mitre.org](https://github.com/hierynomus/sshj/issues/916)\n- [cve@mitre.org](https://github.com/janmojzis/tinyssh/issues/81)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5586)\n- [cve@mitre.org](https://filezilla-project.org/versions.php)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/issues/2189)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta)\n- [cve@mitre.org](https://github.com/cyd01/KiTTY/issues/520)\n- [cve@mitre.org](https://help.panic.com/releasenotes/transmit5/)\n- [cve@mitre.org](https://nova.app/releases/#v11.8)\n- [cve@mitre.org](https://roumenpetrov.info/secsh/#news20231220)\n- [cve@mitre.org](https://winscp.net/eng/docs/history#6.2.2)\n- [cve@mitre.org](https://www.bitvise.com/ssh-client-version-history#933)\n- [cve@mitre.org](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508)\n- [cve@mitre.org](https://www.theregister.com/2023/12/20/terrapin_attack_ssh)\n- [cve@mitre.org](https://www.vandyke.com/products/securecrt/history.txt)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5588)\n- [cve@mitre.org](https://github.com/ssh-mitm/ssh-mitm/issues/165)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38732005)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-16)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-17)\n", "disclosureTime": "2023-12-18T16:15:10.897000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.83233", "probability": "0.01153" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-28T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "9.3_p2-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@*", "openssh/openssh-client-common@9.3_p2-r0" ], "id": "SNYK-ALPINE318-OPENSSH-6139287", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-354" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-12-29T01:11:20.311137Z", "name": "openssh/openssh-client-common", "nearestFixedInVersion": "9.3_p2-r1", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "openssh", "patches": [], "publicationTime": "2023-12-25T14:53:44.730576Z", "references": [ { "title": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42", "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42" }, { "title": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25", "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25" }, { "title": "https://github.com/openssh/openssh-portable/commits/master", "url": "https://github.com/openssh/openssh-portable/commits/master" }, { "title": "https://github.com/ronf/asyncssh/tags", "url": "https://github.com/ronf/asyncssh/tags" }, { "title": "https://gitlab.com/libssh/libssh-mirror/-/tags", "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" }, { "title": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" }, { "title": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/" }, { "title": "https://matt.ucc.asn.au/dropbear/CHANGES", "url": "https://matt.ucc.asn.au/dropbear/CHANGES" }, { "title": "https://www.bitvise.com/ssh-server-version-history", "url": "https://www.bitvise.com/ssh-server-version-history" }, { "title": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html" }, { "title": "https://www.openssh.com/openbsd.html", "url": "https://www.openssh.com/openbsd.html" }, { "title": "https://www.openssh.com/txt/release-9.6", "url": "https://www.openssh.com/txt/release-9.6" }, { "title": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" }, { "title": "https://www.terrapin-attack.com", "url": "https://www.terrapin-attack.com" }, { "title": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst" }, { "title": "https://github.com/warp-tech/russh/releases/tag/v0.40.2", "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2" }, { "title": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/" }, { "title": "https://twitter.com/TrueSkrillor/status/1736774389725565005", "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/18/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3" }, { "title": "https://github.com/paramiko/paramiko/issues/2337", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "https://news.ycombinator.com/item?id=38684904", "url": "https://news.ycombinator.com/item?id=38684904" }, { "title": "https://news.ycombinator.com/item?id=38685286", "url": "https://news.ycombinator.com/item?id=38685286" }, { "title": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" }, { "title": "https://github.com/mwiede/jsch/issues/457", "url": "https://github.com/mwiede/jsch/issues/457" }, { "title": "https://access.redhat.com/security/cve/cve-2023-48795", "url": "https://access.redhat.com/security/cve/cve-2023-48795" }, { "title": "https://bugs.gentoo.org/920280", "url": "https://bugs.gentoo.org/920280" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1217950", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" }, { "title": "https://github.com/advisories/GHSA-45x7-px36-x8w8", "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" }, { "title": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6" }, { "title": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1" }, { "title": "https://github.com/mwiede/jsch/pull/461", "url": "https://github.com/mwiede/jsch/pull/461" }, { "title": "https://security-tracker.debian.org/tracker/CVE-2023-48795", "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" }, { "title": "https://security-tracker.debian.org/tracker/source-package/libssh2", "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" }, { "title": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" }, { "title": "https://ubuntu.com/security/CVE-2023-48795", "url": "https://ubuntu.com/security/CVE-2023-48795" }, { "title": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" }, { "title": "https://github.com/libssh2/libssh2/pull/1291", "url": "https://github.com/libssh2/libssh2/pull/1291" }, { "title": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" }, { "title": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5" }, { "title": "https://github.com/rapier1/hpn-ssh/releases", "url": "https://github.com/rapier1/hpn-ssh/releases" }, { "title": "https://crates.io/crates/thrussh/versions", "url": "https://crates.io/crates/thrussh/versions" }, { "title": "https://github.com/NixOS/nixpkgs/pull/275249", "url": "https://github.com/NixOS/nixpkgs/pull/275249" }, { "title": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1" }, { "title": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab" }, { "title": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22" }, { "title": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3" }, { "title": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15" }, { "title": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/issues/456", "url": "https://github.com/proftpd/proftpd/issues/456" }, { "title": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC" }, { "title": "https://oryx-embedded.com/download/%23changelog", "url": "https://oryx-embedded.com/download/%23changelog" }, { "title": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update" }, { "title": "https://www.netsarang.com/en/xshell-update-history/", "url": "https://www.netsarang.com/en/xshell-update-history/" }, { "title": "https://www.paramiko.org/changelog.html", "url": "https://www.paramiko.org/changelog.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/19/5", "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5" }, { "title": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" }, { "title": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "https://github.com/apache/mina-sshd/issues/445", "url": "https://github.com/apache/mina-sshd/issues/445" }, { "title": "https://github.com/hierynomus/sshj/issues/916", "url": "https://github.com/hierynomus/sshj/issues/916" }, { "title": "https://github.com/janmojzis/tinyssh/issues/81", "url": "https://github.com/janmojzis/tinyssh/issues/81" }, { "title": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES" }, { "title": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16", "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16" }, { "title": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "title": "https://www.debian.org/security/2023/dsa-5586", "url": "https://www.debian.org/security/2023/dsa-5586" }, { "title": "https://filezilla-project.org/versions.php", "url": "https://filezilla-project.org/versions.php" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta" }, { "title": "https://github.com/cyd01/KiTTY/issues/520", "url": "https://github.com/cyd01/KiTTY/issues/520" }, { "title": "https://help.panic.com/releasenotes/transmit5/", "url": "https://help.panic.com/releasenotes/transmit5/" }, { "title": "https://nova.app/releases/%23v11.8", "url": "https://nova.app/releases/%23v11.8" }, { "title": "https://roumenpetrov.info/secsh/%23news20231220", "url": "https://roumenpetrov.info/secsh/%23news20231220" }, { "title": "https://winscp.net/eng/docs/history%236.2.2", "url": "https://winscp.net/eng/docs/history%236.2.2" }, { "title": "https://www.bitvise.com/ssh-client-version-history%23933", "url": "https://www.bitvise.com/ssh-client-version-history%23933" }, { "title": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508", "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508" }, { "title": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh" }, { "title": "https://www.vandyke.com/products/securecrt/history.txt", "url": "https://www.vandyke.com/products/securecrt/history.txt" }, { "title": "https://www.debian.org/security/2023/dsa-5588", "url": "https://www.debian.org/security/2023/dsa-5588" }, { "title": "https://github.com/ssh-mitm/ssh-mitm/issues/165", "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165" }, { "title": "https://news.ycombinator.com/item?id=38732005", "url": "https://news.ycombinator.com/item?id=38732005" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" }, { "title": "https://security.gentoo.org/glsa/202312-16", "url": "https://security.gentoo.org/glsa/202312-16" }, { "title": "https://security.gentoo.org/glsa/202312-17", "url": "https://security.gentoo.org/glsa/202312-17" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<9.3_p2-r1" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Validation of Integrity Check Value", "upgradePath": [ false, "openssh/openssh-client-common@9.3_p2-r1" ], "version": "9.3_p2-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "cpes": [], "creationTime": "2023-12-25T14:53:44.722360Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssh` package and not the `openssh` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.\n## Remediation\nUpgrade `Alpine:3.18` `openssh` to version 9.3_p2-r1 or higher.\n## References\n- [cve@mitre.org](https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42)\n- [cve@mitre.org](https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25)\n- [cve@mitre.org](https://github.com/openssh/openssh-portable/commits/master)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/tags)\n- [cve@mitre.org](https://gitlab.com/libssh/libssh-mirror/-/tags)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ)\n- [cve@mitre.org](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/)\n- [cve@mitre.org](https://matt.ucc.asn.au/dropbear/CHANGES)\n- [cve@mitre.org](https://www.bitvise.com/ssh-server-version-history)\n- [cve@mitre.org](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html)\n- [cve@mitre.org](https://www.openssh.com/openbsd.html)\n- [cve@mitre.org](https://www.openssh.com/txt/release-9.6)\n- [cve@mitre.org](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/)\n- [cve@mitre.org](https://www.terrapin-attack.com)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [cve@mitre.org](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst)\n- [cve@mitre.org](https://github.com/warp-tech/russh/releases/tag/v0.40.2)\n- [cve@mitre.org](https://thorntech.com/cve-2023-48795-and-sftp-gateway/)\n- [cve@mitre.org](https://twitter.com/TrueSkrillor/status/1736774389725565005)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/18/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/18/3)\n- [cve@mitre.org](https://github.com/paramiko/paramiko/issues/2337)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38684904)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38685286)\n- [cve@mitre.org](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6)\n- [cve@mitre.org](https://github.com/mwiede/jsch/issues/457)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-48795)\n- [cve@mitre.org](https://bugs.gentoo.org/920280)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2254210)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1217950)\n- [cve@mitre.org](https://github.com/advisories/GHSA-45x7-px36-x8w8)\n- [cve@mitre.org](https://github.com/drakkan/sftpgo/releases/tag/v2.5.6)\n- [cve@mitre.org](https://github.com/erlang/otp/releases/tag/OTP-26.2.1)\n- [cve@mitre.org](https://github.com/mwiede/jsch/pull/461)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/CVE-2023-48795)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/libssh2)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-48795)\n- [cve@mitre.org](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/)\n- [cve@mitre.org](https://github.com/libssh2/libssh2/pull/1291)\n- [cve@mitre.org](https://forum.netgate.com/topic/184941/terrapin-ssh-attack)\n- [cve@mitre.org](https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5)\n- [cve@mitre.org](https://github.com/rapier1/hpn-ssh/releases)\n- [cve@mitre.org](https://crates.io/crates/thrussh/versions)\n- [cve@mitre.org](https://github.com/NixOS/nixpkgs/pull/275249)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/releases/tag/v5.1)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22)\n- [cve@mitre.org](https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3)\n- [cve@mitre.org](https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/issues/456)\n- [cve@mitre.org](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC)\n- [cve@mitre.org](https://oryx-embedded.com/download/#changelog)\n- [cve@mitre.org](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update)\n- [cve@mitre.org](https://www.netsarang.com/en/xshell-update-history/)\n- [cve@mitre.org](https://www.paramiko.org/changelog.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/19/5)\n- [cve@mitre.org](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc)\n- [cve@mitre.org](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](https://github.com/apache/mina-sshd/issues/445)\n- [cve@mitre.org](https://github.com/hierynomus/sshj/issues/916)\n- [cve@mitre.org](https://github.com/janmojzis/tinyssh/issues/81)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5586)\n- [cve@mitre.org](https://filezilla-project.org/versions.php)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/issues/2189)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta)\n- [cve@mitre.org](https://github.com/cyd01/KiTTY/issues/520)\n- [cve@mitre.org](https://help.panic.com/releasenotes/transmit5/)\n- [cve@mitre.org](https://nova.app/releases/#v11.8)\n- [cve@mitre.org](https://roumenpetrov.info/secsh/#news20231220)\n- [cve@mitre.org](https://winscp.net/eng/docs/history#6.2.2)\n- [cve@mitre.org](https://www.bitvise.com/ssh-client-version-history#933)\n- [cve@mitre.org](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508)\n- [cve@mitre.org](https://www.theregister.com/2023/12/20/terrapin_attack_ssh)\n- [cve@mitre.org](https://www.vandyke.com/products/securecrt/history.txt)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5588)\n- [cve@mitre.org](https://github.com/ssh-mitm/ssh-mitm/issues/165)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38732005)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-16)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-17)\n", "disclosureTime": "2023-12-18T16:15:10.897000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.83233", "probability": "0.01153" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-28T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "9.3_p2-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@*", "openssh/openssh-client-default@9.3_p2-r0", "openssh/openssh-client-common@9.3_p2-r0" ], "id": "SNYK-ALPINE318-OPENSSH-6139287", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-354" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-29T01:11:20.311137Z", "name": "openssh/openssh-client-common", "nearestFixedInVersion": "9.3_p2-r1", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "openssh", "patches": [], "publicationTime": "2023-12-25T14:53:44.730576Z", "references": [ { "title": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42", "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42" }, { "title": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25", "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25" }, { "title": "https://github.com/openssh/openssh-portable/commits/master", "url": "https://github.com/openssh/openssh-portable/commits/master" }, { "title": "https://github.com/ronf/asyncssh/tags", "url": "https://github.com/ronf/asyncssh/tags" }, { "title": "https://gitlab.com/libssh/libssh-mirror/-/tags", "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" }, { "title": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" }, { "title": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/" }, { "title": "https://matt.ucc.asn.au/dropbear/CHANGES", "url": "https://matt.ucc.asn.au/dropbear/CHANGES" }, { "title": "https://www.bitvise.com/ssh-server-version-history", "url": "https://www.bitvise.com/ssh-server-version-history" }, { "title": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html" }, { "title": "https://www.openssh.com/openbsd.html", "url": "https://www.openssh.com/openbsd.html" }, { "title": "https://www.openssh.com/txt/release-9.6", "url": "https://www.openssh.com/txt/release-9.6" }, { "title": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" }, { "title": "https://www.terrapin-attack.com", "url": "https://www.terrapin-attack.com" }, { "title": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst" }, { "title": "https://github.com/warp-tech/russh/releases/tag/v0.40.2", "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2" }, { "title": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/" }, { "title": "https://twitter.com/TrueSkrillor/status/1736774389725565005", "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/18/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3" }, { "title": "https://github.com/paramiko/paramiko/issues/2337", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "https://news.ycombinator.com/item?id=38684904", "url": "https://news.ycombinator.com/item?id=38684904" }, { "title": "https://news.ycombinator.com/item?id=38685286", "url": "https://news.ycombinator.com/item?id=38685286" }, { "title": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" }, { "title": "https://github.com/mwiede/jsch/issues/457", "url": "https://github.com/mwiede/jsch/issues/457" }, { "title": "https://access.redhat.com/security/cve/cve-2023-48795", "url": "https://access.redhat.com/security/cve/cve-2023-48795" }, { "title": "https://bugs.gentoo.org/920280", "url": "https://bugs.gentoo.org/920280" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1217950", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" }, { "title": "https://github.com/advisories/GHSA-45x7-px36-x8w8", "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" }, { "title": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6" }, { "title": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1" }, { "title": "https://github.com/mwiede/jsch/pull/461", "url": "https://github.com/mwiede/jsch/pull/461" }, { "title": "https://security-tracker.debian.org/tracker/CVE-2023-48795", "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" }, { "title": "https://security-tracker.debian.org/tracker/source-package/libssh2", "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" }, { "title": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" }, { "title": "https://ubuntu.com/security/CVE-2023-48795", "url": "https://ubuntu.com/security/CVE-2023-48795" }, { "title": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" }, { "title": "https://github.com/libssh2/libssh2/pull/1291", "url": "https://github.com/libssh2/libssh2/pull/1291" }, { "title": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" }, { "title": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5" }, { "title": "https://github.com/rapier1/hpn-ssh/releases", "url": "https://github.com/rapier1/hpn-ssh/releases" }, { "title": "https://crates.io/crates/thrussh/versions", "url": "https://crates.io/crates/thrussh/versions" }, { "title": "https://github.com/NixOS/nixpkgs/pull/275249", "url": "https://github.com/NixOS/nixpkgs/pull/275249" }, { "title": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1" }, { "title": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab" }, { "title": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22" }, { "title": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3" }, { "title": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15" }, { "title": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/issues/456", "url": "https://github.com/proftpd/proftpd/issues/456" }, { "title": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC" }, { "title": "https://oryx-embedded.com/download/%23changelog", "url": "https://oryx-embedded.com/download/%23changelog" }, { "title": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update" }, { "title": "https://www.netsarang.com/en/xshell-update-history/", "url": "https://www.netsarang.com/en/xshell-update-history/" }, { "title": "https://www.paramiko.org/changelog.html", "url": "https://www.paramiko.org/changelog.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/19/5", "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5" }, { "title": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" }, { "title": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "https://github.com/apache/mina-sshd/issues/445", "url": "https://github.com/apache/mina-sshd/issues/445" }, { "title": "https://github.com/hierynomus/sshj/issues/916", "url": "https://github.com/hierynomus/sshj/issues/916" }, { "title": "https://github.com/janmojzis/tinyssh/issues/81", "url": "https://github.com/janmojzis/tinyssh/issues/81" }, { "title": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES" }, { "title": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16", "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16" }, { "title": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "title": "https://www.debian.org/security/2023/dsa-5586", "url": "https://www.debian.org/security/2023/dsa-5586" }, { "title": "https://filezilla-project.org/versions.php", "url": "https://filezilla-project.org/versions.php" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta" }, { "title": "https://github.com/cyd01/KiTTY/issues/520", "url": "https://github.com/cyd01/KiTTY/issues/520" }, { "title": "https://help.panic.com/releasenotes/transmit5/", "url": "https://help.panic.com/releasenotes/transmit5/" }, { "title": "https://nova.app/releases/%23v11.8", "url": "https://nova.app/releases/%23v11.8" }, { "title": "https://roumenpetrov.info/secsh/%23news20231220", "url": "https://roumenpetrov.info/secsh/%23news20231220" }, { "title": "https://winscp.net/eng/docs/history%236.2.2", "url": "https://winscp.net/eng/docs/history%236.2.2" }, { "title": "https://www.bitvise.com/ssh-client-version-history%23933", "url": "https://www.bitvise.com/ssh-client-version-history%23933" }, { "title": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508", "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508" }, { "title": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh" }, { "title": "https://www.vandyke.com/products/securecrt/history.txt", "url": "https://www.vandyke.com/products/securecrt/history.txt" }, { "title": "https://www.debian.org/security/2023/dsa-5588", "url": "https://www.debian.org/security/2023/dsa-5588" }, { "title": "https://github.com/ssh-mitm/ssh-mitm/issues/165", "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165" }, { "title": "https://news.ycombinator.com/item?id=38732005", "url": "https://news.ycombinator.com/item?id=38732005" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" }, { "title": "https://security.gentoo.org/glsa/202312-16", "url": "https://security.gentoo.org/glsa/202312-16" }, { "title": "https://security.gentoo.org/glsa/202312-17", "url": "https://security.gentoo.org/glsa/202312-17" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<9.3_p2-r1" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Validation of Integrity Check Value", "upgradePath": [], "version": "9.3_p2-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "cpes": [], "creationTime": "2023-12-25T14:53:44.722360Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssh` package and not the `openssh` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.\n## Remediation\nUpgrade `Alpine:3.18` `openssh` to version 9.3_p2-r1 or higher.\n## References\n- [cve@mitre.org](https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42)\n- [cve@mitre.org](https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25)\n- [cve@mitre.org](https://github.com/openssh/openssh-portable/commits/master)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/tags)\n- [cve@mitre.org](https://gitlab.com/libssh/libssh-mirror/-/tags)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ)\n- [cve@mitre.org](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/)\n- [cve@mitre.org](https://matt.ucc.asn.au/dropbear/CHANGES)\n- [cve@mitre.org](https://www.bitvise.com/ssh-server-version-history)\n- [cve@mitre.org](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html)\n- [cve@mitre.org](https://www.openssh.com/openbsd.html)\n- [cve@mitre.org](https://www.openssh.com/txt/release-9.6)\n- [cve@mitre.org](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/)\n- [cve@mitre.org](https://www.terrapin-attack.com)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [cve@mitre.org](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst)\n- [cve@mitre.org](https://github.com/warp-tech/russh/releases/tag/v0.40.2)\n- [cve@mitre.org](https://thorntech.com/cve-2023-48795-and-sftp-gateway/)\n- [cve@mitre.org](https://twitter.com/TrueSkrillor/status/1736774389725565005)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/18/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/18/3)\n- [cve@mitre.org](https://github.com/paramiko/paramiko/issues/2337)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38684904)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38685286)\n- [cve@mitre.org](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6)\n- [cve@mitre.org](https://github.com/mwiede/jsch/issues/457)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-48795)\n- [cve@mitre.org](https://bugs.gentoo.org/920280)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2254210)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1217950)\n- [cve@mitre.org](https://github.com/advisories/GHSA-45x7-px36-x8w8)\n- [cve@mitre.org](https://github.com/drakkan/sftpgo/releases/tag/v2.5.6)\n- [cve@mitre.org](https://github.com/erlang/otp/releases/tag/OTP-26.2.1)\n- [cve@mitre.org](https://github.com/mwiede/jsch/pull/461)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/CVE-2023-48795)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/libssh2)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-48795)\n- [cve@mitre.org](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/)\n- [cve@mitre.org](https://github.com/libssh2/libssh2/pull/1291)\n- [cve@mitre.org](https://forum.netgate.com/topic/184941/terrapin-ssh-attack)\n- [cve@mitre.org](https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5)\n- [cve@mitre.org](https://github.com/rapier1/hpn-ssh/releases)\n- [cve@mitre.org](https://crates.io/crates/thrussh/versions)\n- [cve@mitre.org](https://github.com/NixOS/nixpkgs/pull/275249)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/releases/tag/v5.1)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22)\n- [cve@mitre.org](https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3)\n- [cve@mitre.org](https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/issues/456)\n- [cve@mitre.org](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC)\n- [cve@mitre.org](https://oryx-embedded.com/download/#changelog)\n- [cve@mitre.org](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update)\n- [cve@mitre.org](https://www.netsarang.com/en/xshell-update-history/)\n- [cve@mitre.org](https://www.paramiko.org/changelog.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/19/5)\n- [cve@mitre.org](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc)\n- [cve@mitre.org](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](https://github.com/apache/mina-sshd/issues/445)\n- [cve@mitre.org](https://github.com/hierynomus/sshj/issues/916)\n- [cve@mitre.org](https://github.com/janmojzis/tinyssh/issues/81)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5586)\n- [cve@mitre.org](https://filezilla-project.org/versions.php)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/issues/2189)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta)\n- [cve@mitre.org](https://github.com/cyd01/KiTTY/issues/520)\n- [cve@mitre.org](https://help.panic.com/releasenotes/transmit5/)\n- [cve@mitre.org](https://nova.app/releases/#v11.8)\n- [cve@mitre.org](https://roumenpetrov.info/secsh/#news20231220)\n- [cve@mitre.org](https://winscp.net/eng/docs/history#6.2.2)\n- [cve@mitre.org](https://www.bitvise.com/ssh-client-version-history#933)\n- [cve@mitre.org](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508)\n- [cve@mitre.org](https://www.theregister.com/2023/12/20/terrapin_attack_ssh)\n- [cve@mitre.org](https://www.vandyke.com/products/securecrt/history.txt)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5588)\n- [cve@mitre.org](https://github.com/ssh-mitm/ssh-mitm/issues/165)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38732005)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-16)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-17)\n", "disclosureTime": "2023-12-18T16:15:10.897000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.83233", "probability": "0.01153" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-28T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "9.3_p2-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@*", "openssh/openssh-keygen@9.3_p2-r0" ], "id": "SNYK-ALPINE318-OPENSSH-6139287", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-354" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-12-29T01:11:20.311137Z", "name": "openssh/openssh-keygen", "nearestFixedInVersion": "9.3_p2-r1", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "openssh", "patches": [], "publicationTime": "2023-12-25T14:53:44.730576Z", "references": [ { "title": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42", "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42" }, { "title": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25", "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25" }, { "title": "https://github.com/openssh/openssh-portable/commits/master", "url": "https://github.com/openssh/openssh-portable/commits/master" }, { "title": "https://github.com/ronf/asyncssh/tags", "url": "https://github.com/ronf/asyncssh/tags" }, { "title": "https://gitlab.com/libssh/libssh-mirror/-/tags", "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" }, { "title": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" }, { "title": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/" }, { "title": "https://matt.ucc.asn.au/dropbear/CHANGES", "url": "https://matt.ucc.asn.au/dropbear/CHANGES" }, { "title": "https://www.bitvise.com/ssh-server-version-history", "url": "https://www.bitvise.com/ssh-server-version-history" }, { "title": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html" }, { "title": "https://www.openssh.com/openbsd.html", "url": "https://www.openssh.com/openbsd.html" }, { "title": "https://www.openssh.com/txt/release-9.6", "url": "https://www.openssh.com/txt/release-9.6" }, { "title": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" }, { "title": "https://www.terrapin-attack.com", "url": "https://www.terrapin-attack.com" }, { "title": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst" }, { "title": "https://github.com/warp-tech/russh/releases/tag/v0.40.2", "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2" }, { "title": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/" }, { "title": "https://twitter.com/TrueSkrillor/status/1736774389725565005", "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/18/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3" }, { "title": "https://github.com/paramiko/paramiko/issues/2337", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "https://news.ycombinator.com/item?id=38684904", "url": "https://news.ycombinator.com/item?id=38684904" }, { "title": "https://news.ycombinator.com/item?id=38685286", "url": "https://news.ycombinator.com/item?id=38685286" }, { "title": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" }, { "title": "https://github.com/mwiede/jsch/issues/457", "url": "https://github.com/mwiede/jsch/issues/457" }, { "title": "https://access.redhat.com/security/cve/cve-2023-48795", "url": "https://access.redhat.com/security/cve/cve-2023-48795" }, { "title": "https://bugs.gentoo.org/920280", "url": "https://bugs.gentoo.org/920280" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1217950", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" }, { "title": "https://github.com/advisories/GHSA-45x7-px36-x8w8", "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" }, { "title": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6" }, { "title": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1" }, { "title": "https://github.com/mwiede/jsch/pull/461", "url": "https://github.com/mwiede/jsch/pull/461" }, { "title": "https://security-tracker.debian.org/tracker/CVE-2023-48795", "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" }, { "title": "https://security-tracker.debian.org/tracker/source-package/libssh2", "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" }, { "title": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" }, { "title": "https://ubuntu.com/security/CVE-2023-48795", "url": "https://ubuntu.com/security/CVE-2023-48795" }, { "title": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" }, { "title": "https://github.com/libssh2/libssh2/pull/1291", "url": "https://github.com/libssh2/libssh2/pull/1291" }, { "title": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" }, { "title": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5" }, { "title": "https://github.com/rapier1/hpn-ssh/releases", "url": "https://github.com/rapier1/hpn-ssh/releases" }, { "title": "https://crates.io/crates/thrussh/versions", "url": "https://crates.io/crates/thrussh/versions" }, { "title": "https://github.com/NixOS/nixpkgs/pull/275249", "url": "https://github.com/NixOS/nixpkgs/pull/275249" }, { "title": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1" }, { "title": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab" }, { "title": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22" }, { "title": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3" }, { "title": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15" }, { "title": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/issues/456", "url": "https://github.com/proftpd/proftpd/issues/456" }, { "title": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC" }, { "title": "https://oryx-embedded.com/download/%23changelog", "url": "https://oryx-embedded.com/download/%23changelog" }, { "title": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update" }, { "title": "https://www.netsarang.com/en/xshell-update-history/", "url": "https://www.netsarang.com/en/xshell-update-history/" }, { "title": "https://www.paramiko.org/changelog.html", "url": "https://www.paramiko.org/changelog.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/19/5", "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5" }, { "title": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" }, { "title": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "https://github.com/apache/mina-sshd/issues/445", "url": "https://github.com/apache/mina-sshd/issues/445" }, { "title": "https://github.com/hierynomus/sshj/issues/916", "url": "https://github.com/hierynomus/sshj/issues/916" }, { "title": "https://github.com/janmojzis/tinyssh/issues/81", "url": "https://github.com/janmojzis/tinyssh/issues/81" }, { "title": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES" }, { "title": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16", "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16" }, { "title": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "title": "https://www.debian.org/security/2023/dsa-5586", "url": "https://www.debian.org/security/2023/dsa-5586" }, { "title": "https://filezilla-project.org/versions.php", "url": "https://filezilla-project.org/versions.php" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta" }, { "title": "https://github.com/cyd01/KiTTY/issues/520", "url": "https://github.com/cyd01/KiTTY/issues/520" }, { "title": "https://help.panic.com/releasenotes/transmit5/", "url": "https://help.panic.com/releasenotes/transmit5/" }, { "title": "https://nova.app/releases/%23v11.8", "url": "https://nova.app/releases/%23v11.8" }, { "title": "https://roumenpetrov.info/secsh/%23news20231220", "url": "https://roumenpetrov.info/secsh/%23news20231220" }, { "title": "https://winscp.net/eng/docs/history%236.2.2", "url": "https://winscp.net/eng/docs/history%236.2.2" }, { "title": "https://www.bitvise.com/ssh-client-version-history%23933", "url": "https://www.bitvise.com/ssh-client-version-history%23933" }, { "title": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508", "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508" }, { "title": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh" }, { "title": "https://www.vandyke.com/products/securecrt/history.txt", "url": "https://www.vandyke.com/products/securecrt/history.txt" }, { "title": "https://www.debian.org/security/2023/dsa-5588", "url": "https://www.debian.org/security/2023/dsa-5588" }, { "title": "https://github.com/ssh-mitm/ssh-mitm/issues/165", "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165" }, { "title": "https://news.ycombinator.com/item?id=38732005", "url": "https://news.ycombinator.com/item?id=38732005" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" }, { "title": "https://security.gentoo.org/glsa/202312-16", "url": "https://security.gentoo.org/glsa/202312-16" }, { "title": "https://security.gentoo.org/glsa/202312-17", "url": "https://security.gentoo.org/glsa/202312-17" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<9.3_p2-r1" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Validation of Integrity Check Value", "upgradePath": [ false, "openssh/openssh-keygen@9.3_p2-r1" ], "version": "9.3_p2-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "cpes": [], "creationTime": "2023-12-25T14:53:44.722360Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssh` package and not the `openssh` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.\n## Remediation\nUpgrade `Alpine:3.18` `openssh` to version 9.3_p2-r1 or higher.\n## References\n- [cve@mitre.org](https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42)\n- [cve@mitre.org](https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25)\n- [cve@mitre.org](https://github.com/openssh/openssh-portable/commits/master)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/tags)\n- [cve@mitre.org](https://gitlab.com/libssh/libssh-mirror/-/tags)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ)\n- [cve@mitre.org](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/)\n- [cve@mitre.org](https://matt.ucc.asn.au/dropbear/CHANGES)\n- [cve@mitre.org](https://www.bitvise.com/ssh-server-version-history)\n- [cve@mitre.org](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html)\n- [cve@mitre.org](https://www.openssh.com/openbsd.html)\n- [cve@mitre.org](https://www.openssh.com/txt/release-9.6)\n- [cve@mitre.org](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/)\n- [cve@mitre.org](https://www.terrapin-attack.com)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [cve@mitre.org](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst)\n- [cve@mitre.org](https://github.com/warp-tech/russh/releases/tag/v0.40.2)\n- [cve@mitre.org](https://thorntech.com/cve-2023-48795-and-sftp-gateway/)\n- [cve@mitre.org](https://twitter.com/TrueSkrillor/status/1736774389725565005)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/18/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/18/3)\n- [cve@mitre.org](https://github.com/paramiko/paramiko/issues/2337)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38684904)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38685286)\n- [cve@mitre.org](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6)\n- [cve@mitre.org](https://github.com/mwiede/jsch/issues/457)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-48795)\n- [cve@mitre.org](https://bugs.gentoo.org/920280)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2254210)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1217950)\n- [cve@mitre.org](https://github.com/advisories/GHSA-45x7-px36-x8w8)\n- [cve@mitre.org](https://github.com/drakkan/sftpgo/releases/tag/v2.5.6)\n- [cve@mitre.org](https://github.com/erlang/otp/releases/tag/OTP-26.2.1)\n- [cve@mitre.org](https://github.com/mwiede/jsch/pull/461)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/CVE-2023-48795)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/libssh2)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-48795)\n- [cve@mitre.org](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/)\n- [cve@mitre.org](https://github.com/libssh2/libssh2/pull/1291)\n- [cve@mitre.org](https://forum.netgate.com/topic/184941/terrapin-ssh-attack)\n- [cve@mitre.org](https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5)\n- [cve@mitre.org](https://github.com/rapier1/hpn-ssh/releases)\n- [cve@mitre.org](https://crates.io/crates/thrussh/versions)\n- [cve@mitre.org](https://github.com/NixOS/nixpkgs/pull/275249)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/releases/tag/v5.1)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22)\n- [cve@mitre.org](https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3)\n- [cve@mitre.org](https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/issues/456)\n- [cve@mitre.org](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC)\n- [cve@mitre.org](https://oryx-embedded.com/download/#changelog)\n- [cve@mitre.org](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update)\n- [cve@mitre.org](https://www.netsarang.com/en/xshell-update-history/)\n- [cve@mitre.org](https://www.paramiko.org/changelog.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/19/5)\n- [cve@mitre.org](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc)\n- [cve@mitre.org](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](https://github.com/apache/mina-sshd/issues/445)\n- [cve@mitre.org](https://github.com/hierynomus/sshj/issues/916)\n- [cve@mitre.org](https://github.com/janmojzis/tinyssh/issues/81)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5586)\n- [cve@mitre.org](https://filezilla-project.org/versions.php)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/issues/2189)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta)\n- [cve@mitre.org](https://github.com/cyd01/KiTTY/issues/520)\n- [cve@mitre.org](https://help.panic.com/releasenotes/transmit5/)\n- [cve@mitre.org](https://nova.app/releases/#v11.8)\n- [cve@mitre.org](https://roumenpetrov.info/secsh/#news20231220)\n- [cve@mitre.org](https://winscp.net/eng/docs/history#6.2.2)\n- [cve@mitre.org](https://www.bitvise.com/ssh-client-version-history#933)\n- [cve@mitre.org](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508)\n- [cve@mitre.org](https://www.theregister.com/2023/12/20/terrapin_attack_ssh)\n- [cve@mitre.org](https://www.vandyke.com/products/securecrt/history.txt)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5588)\n- [cve@mitre.org](https://github.com/ssh-mitm/ssh-mitm/issues/165)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38732005)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-16)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-17)\n", "disclosureTime": "2023-12-18T16:15:10.897000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.83233", "probability": "0.01153" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-28T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "9.3_p2-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@*", "openssh/openssh-client-default@9.3_p2-r0", "openssh/openssh-keygen@9.3_p2-r0" ], "id": "SNYK-ALPINE318-OPENSSH-6139287", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-354" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-29T01:11:20.311137Z", "name": "openssh/openssh-keygen", "nearestFixedInVersion": "9.3_p2-r1", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "openssh", "patches": [], "publicationTime": "2023-12-25T14:53:44.730576Z", "references": [ { "title": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42", "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42" }, { "title": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25", "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25" }, { "title": "https://github.com/openssh/openssh-portable/commits/master", "url": "https://github.com/openssh/openssh-portable/commits/master" }, { "title": "https://github.com/ronf/asyncssh/tags", "url": "https://github.com/ronf/asyncssh/tags" }, { "title": "https://gitlab.com/libssh/libssh-mirror/-/tags", "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" }, { "title": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" }, { "title": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/" }, { "title": "https://matt.ucc.asn.au/dropbear/CHANGES", "url": "https://matt.ucc.asn.au/dropbear/CHANGES" }, { "title": "https://www.bitvise.com/ssh-server-version-history", "url": "https://www.bitvise.com/ssh-server-version-history" }, { "title": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html" }, { "title": "https://www.openssh.com/openbsd.html", "url": "https://www.openssh.com/openbsd.html" }, { "title": "https://www.openssh.com/txt/release-9.6", "url": "https://www.openssh.com/txt/release-9.6" }, { "title": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" }, { "title": "https://www.terrapin-attack.com", "url": "https://www.terrapin-attack.com" }, { "title": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst" }, { "title": "https://github.com/warp-tech/russh/releases/tag/v0.40.2", "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2" }, { "title": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/" }, { "title": "https://twitter.com/TrueSkrillor/status/1736774389725565005", "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/18/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3" }, { "title": "https://github.com/paramiko/paramiko/issues/2337", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "https://news.ycombinator.com/item?id=38684904", "url": "https://news.ycombinator.com/item?id=38684904" }, { "title": "https://news.ycombinator.com/item?id=38685286", "url": "https://news.ycombinator.com/item?id=38685286" }, { "title": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" }, { "title": "https://github.com/mwiede/jsch/issues/457", "url": "https://github.com/mwiede/jsch/issues/457" }, { "title": "https://access.redhat.com/security/cve/cve-2023-48795", "url": "https://access.redhat.com/security/cve/cve-2023-48795" }, { "title": "https://bugs.gentoo.org/920280", "url": "https://bugs.gentoo.org/920280" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1217950", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" }, { "title": "https://github.com/advisories/GHSA-45x7-px36-x8w8", "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" }, { "title": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6" }, { "title": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1" }, { "title": "https://github.com/mwiede/jsch/pull/461", "url": "https://github.com/mwiede/jsch/pull/461" }, { "title": "https://security-tracker.debian.org/tracker/CVE-2023-48795", "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" }, { "title": "https://security-tracker.debian.org/tracker/source-package/libssh2", "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" }, { "title": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" }, { "title": "https://ubuntu.com/security/CVE-2023-48795", "url": "https://ubuntu.com/security/CVE-2023-48795" }, { "title": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" }, { "title": "https://github.com/libssh2/libssh2/pull/1291", "url": "https://github.com/libssh2/libssh2/pull/1291" }, { "title": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" }, { "title": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5" }, { "title": "https://github.com/rapier1/hpn-ssh/releases", "url": "https://github.com/rapier1/hpn-ssh/releases" }, { "title": "https://crates.io/crates/thrussh/versions", "url": "https://crates.io/crates/thrussh/versions" }, { "title": "https://github.com/NixOS/nixpkgs/pull/275249", "url": "https://github.com/NixOS/nixpkgs/pull/275249" }, { "title": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1" }, { "title": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab" }, { "title": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22" }, { "title": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3" }, { "title": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15" }, { "title": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/issues/456", "url": "https://github.com/proftpd/proftpd/issues/456" }, { "title": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC" }, { "title": "https://oryx-embedded.com/download/%23changelog", "url": "https://oryx-embedded.com/download/%23changelog" }, { "title": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update" }, { "title": "https://www.netsarang.com/en/xshell-update-history/", "url": "https://www.netsarang.com/en/xshell-update-history/" }, { "title": "https://www.paramiko.org/changelog.html", "url": "https://www.paramiko.org/changelog.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/19/5", "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5" }, { "title": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" }, { "title": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "https://github.com/apache/mina-sshd/issues/445", "url": "https://github.com/apache/mina-sshd/issues/445" }, { "title": "https://github.com/hierynomus/sshj/issues/916", "url": "https://github.com/hierynomus/sshj/issues/916" }, { "title": "https://github.com/janmojzis/tinyssh/issues/81", "url": "https://github.com/janmojzis/tinyssh/issues/81" }, { "title": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES" }, { "title": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16", "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16" }, { "title": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "title": "https://www.debian.org/security/2023/dsa-5586", "url": "https://www.debian.org/security/2023/dsa-5586" }, { "title": "https://filezilla-project.org/versions.php", "url": "https://filezilla-project.org/versions.php" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta" }, { "title": "https://github.com/cyd01/KiTTY/issues/520", "url": "https://github.com/cyd01/KiTTY/issues/520" }, { "title": "https://help.panic.com/releasenotes/transmit5/", "url": "https://help.panic.com/releasenotes/transmit5/" }, { "title": "https://nova.app/releases/%23v11.8", "url": "https://nova.app/releases/%23v11.8" }, { "title": "https://roumenpetrov.info/secsh/%23news20231220", "url": "https://roumenpetrov.info/secsh/%23news20231220" }, { "title": "https://winscp.net/eng/docs/history%236.2.2", "url": "https://winscp.net/eng/docs/history%236.2.2" }, { "title": "https://www.bitvise.com/ssh-client-version-history%23933", "url": "https://www.bitvise.com/ssh-client-version-history%23933" }, { "title": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508", "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508" }, { "title": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh" }, { "title": "https://www.vandyke.com/products/securecrt/history.txt", "url": "https://www.vandyke.com/products/securecrt/history.txt" }, { "title": "https://www.debian.org/security/2023/dsa-5588", "url": "https://www.debian.org/security/2023/dsa-5588" }, { "title": "https://github.com/ssh-mitm/ssh-mitm/issues/165", "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165" }, { "title": "https://news.ycombinator.com/item?id=38732005", "url": "https://news.ycombinator.com/item?id=38732005" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" }, { "title": "https://security.gentoo.org/glsa/202312-16", "url": "https://security.gentoo.org/glsa/202312-16" }, { "title": "https://security.gentoo.org/glsa/202312-17", "url": "https://security.gentoo.org/glsa/202312-17" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<9.3_p2-r1" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Validation of Integrity Check Value", "upgradePath": [], "version": "9.3_p2-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "cpes": [], "creationTime": "2023-12-25T14:53:44.722360Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssh` package and not the `openssh` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.\n## Remediation\nUpgrade `Alpine:3.18` `openssh` to version 9.3_p2-r1 or higher.\n## References\n- [cve@mitre.org](https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42)\n- [cve@mitre.org](https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25)\n- [cve@mitre.org](https://github.com/openssh/openssh-portable/commits/master)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/tags)\n- [cve@mitre.org](https://gitlab.com/libssh/libssh-mirror/-/tags)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ)\n- [cve@mitre.org](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/)\n- [cve@mitre.org](https://matt.ucc.asn.au/dropbear/CHANGES)\n- [cve@mitre.org](https://www.bitvise.com/ssh-server-version-history)\n- [cve@mitre.org](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html)\n- [cve@mitre.org](https://www.openssh.com/openbsd.html)\n- [cve@mitre.org](https://www.openssh.com/txt/release-9.6)\n- [cve@mitre.org](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/)\n- [cve@mitre.org](https://www.terrapin-attack.com)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [cve@mitre.org](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst)\n- [cve@mitre.org](https://github.com/warp-tech/russh/releases/tag/v0.40.2)\n- [cve@mitre.org](https://thorntech.com/cve-2023-48795-and-sftp-gateway/)\n- [cve@mitre.org](https://twitter.com/TrueSkrillor/status/1736774389725565005)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/18/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/18/3)\n- [cve@mitre.org](https://github.com/paramiko/paramiko/issues/2337)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38684904)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38685286)\n- [cve@mitre.org](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6)\n- [cve@mitre.org](https://github.com/mwiede/jsch/issues/457)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-48795)\n- [cve@mitre.org](https://bugs.gentoo.org/920280)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2254210)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1217950)\n- [cve@mitre.org](https://github.com/advisories/GHSA-45x7-px36-x8w8)\n- [cve@mitre.org](https://github.com/drakkan/sftpgo/releases/tag/v2.5.6)\n- [cve@mitre.org](https://github.com/erlang/otp/releases/tag/OTP-26.2.1)\n- [cve@mitre.org](https://github.com/mwiede/jsch/pull/461)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/CVE-2023-48795)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/libssh2)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-48795)\n- [cve@mitre.org](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/)\n- [cve@mitre.org](https://github.com/libssh2/libssh2/pull/1291)\n- [cve@mitre.org](https://forum.netgate.com/topic/184941/terrapin-ssh-attack)\n- [cve@mitre.org](https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5)\n- [cve@mitre.org](https://github.com/rapier1/hpn-ssh/releases)\n- [cve@mitre.org](https://crates.io/crates/thrussh/versions)\n- [cve@mitre.org](https://github.com/NixOS/nixpkgs/pull/275249)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/releases/tag/v5.1)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22)\n- [cve@mitre.org](https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3)\n- [cve@mitre.org](https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/issues/456)\n- [cve@mitre.org](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC)\n- [cve@mitre.org](https://oryx-embedded.com/download/#changelog)\n- [cve@mitre.org](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update)\n- [cve@mitre.org](https://www.netsarang.com/en/xshell-update-history/)\n- [cve@mitre.org](https://www.paramiko.org/changelog.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/19/5)\n- [cve@mitre.org](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc)\n- [cve@mitre.org](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](https://github.com/apache/mina-sshd/issues/445)\n- [cve@mitre.org](https://github.com/hierynomus/sshj/issues/916)\n- [cve@mitre.org](https://github.com/janmojzis/tinyssh/issues/81)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5586)\n- [cve@mitre.org](https://filezilla-project.org/versions.php)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/issues/2189)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta)\n- [cve@mitre.org](https://github.com/cyd01/KiTTY/issues/520)\n- [cve@mitre.org](https://help.panic.com/releasenotes/transmit5/)\n- [cve@mitre.org](https://nova.app/releases/#v11.8)\n- [cve@mitre.org](https://roumenpetrov.info/secsh/#news20231220)\n- [cve@mitre.org](https://winscp.net/eng/docs/history#6.2.2)\n- [cve@mitre.org](https://www.bitvise.com/ssh-client-version-history#933)\n- [cve@mitre.org](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508)\n- [cve@mitre.org](https://www.theregister.com/2023/12/20/terrapin_attack_ssh)\n- [cve@mitre.org](https://www.vandyke.com/products/securecrt/history.txt)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5588)\n- [cve@mitre.org](https://github.com/ssh-mitm/ssh-mitm/issues/165)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38732005)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-16)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-17)\n", "disclosureTime": "2023-12-18T16:15:10.897000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.83233", "probability": "0.01153" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-28T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "9.3_p2-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@*", "openssh/openssh-client-default@9.3_p2-r0" ], "id": "SNYK-ALPINE318-OPENSSH-6139287", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-354" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-12-29T01:11:20.311137Z", "name": "openssh/openssh-client-default", "nearestFixedInVersion": "9.3_p2-r1", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "openssh", "patches": [], "publicationTime": "2023-12-25T14:53:44.730576Z", "references": [ { "title": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42", "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42" }, { "title": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25", "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25" }, { "title": "https://github.com/openssh/openssh-portable/commits/master", "url": "https://github.com/openssh/openssh-portable/commits/master" }, { "title": "https://github.com/ronf/asyncssh/tags", "url": "https://github.com/ronf/asyncssh/tags" }, { "title": "https://gitlab.com/libssh/libssh-mirror/-/tags", "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" }, { "title": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" }, { "title": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/" }, { "title": "https://matt.ucc.asn.au/dropbear/CHANGES", "url": "https://matt.ucc.asn.au/dropbear/CHANGES" }, { "title": "https://www.bitvise.com/ssh-server-version-history", "url": "https://www.bitvise.com/ssh-server-version-history" }, { "title": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html" }, { "title": "https://www.openssh.com/openbsd.html", "url": "https://www.openssh.com/openbsd.html" }, { "title": "https://www.openssh.com/txt/release-9.6", "url": "https://www.openssh.com/txt/release-9.6" }, { "title": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" }, { "title": "https://www.terrapin-attack.com", "url": "https://www.terrapin-attack.com" }, { "title": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst" }, { "title": "https://github.com/warp-tech/russh/releases/tag/v0.40.2", "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2" }, { "title": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/" }, { "title": "https://twitter.com/TrueSkrillor/status/1736774389725565005", "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/18/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3" }, { "title": "https://github.com/paramiko/paramiko/issues/2337", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "https://news.ycombinator.com/item?id=38684904", "url": "https://news.ycombinator.com/item?id=38684904" }, { "title": "https://news.ycombinator.com/item?id=38685286", "url": "https://news.ycombinator.com/item?id=38685286" }, { "title": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" }, { "title": "https://github.com/mwiede/jsch/issues/457", "url": "https://github.com/mwiede/jsch/issues/457" }, { "title": "https://access.redhat.com/security/cve/cve-2023-48795", "url": "https://access.redhat.com/security/cve/cve-2023-48795" }, { "title": "https://bugs.gentoo.org/920280", "url": "https://bugs.gentoo.org/920280" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1217950", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" }, { "title": "https://github.com/advisories/GHSA-45x7-px36-x8w8", "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" }, { "title": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6" }, { "title": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1" }, { "title": "https://github.com/mwiede/jsch/pull/461", "url": "https://github.com/mwiede/jsch/pull/461" }, { "title": "https://security-tracker.debian.org/tracker/CVE-2023-48795", "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" }, { "title": "https://security-tracker.debian.org/tracker/source-package/libssh2", "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" }, { "title": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" }, { "title": "https://ubuntu.com/security/CVE-2023-48795", "url": "https://ubuntu.com/security/CVE-2023-48795" }, { "title": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" }, { "title": "https://github.com/libssh2/libssh2/pull/1291", "url": "https://github.com/libssh2/libssh2/pull/1291" }, { "title": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" }, { "title": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5" }, { "title": "https://github.com/rapier1/hpn-ssh/releases", "url": "https://github.com/rapier1/hpn-ssh/releases" }, { "title": "https://crates.io/crates/thrussh/versions", "url": "https://crates.io/crates/thrussh/versions" }, { "title": "https://github.com/NixOS/nixpkgs/pull/275249", "url": "https://github.com/NixOS/nixpkgs/pull/275249" }, { "title": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1" }, { "title": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab" }, { "title": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22" }, { "title": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3" }, { "title": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15" }, { "title": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/issues/456", "url": "https://github.com/proftpd/proftpd/issues/456" }, { "title": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC" }, { "title": "https://oryx-embedded.com/download/%23changelog", "url": "https://oryx-embedded.com/download/%23changelog" }, { "title": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update" }, { "title": "https://www.netsarang.com/en/xshell-update-history/", "url": "https://www.netsarang.com/en/xshell-update-history/" }, { "title": "https://www.paramiko.org/changelog.html", "url": "https://www.paramiko.org/changelog.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/19/5", "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5" }, { "title": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" }, { "title": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "https://github.com/apache/mina-sshd/issues/445", "url": "https://github.com/apache/mina-sshd/issues/445" }, { "title": "https://github.com/hierynomus/sshj/issues/916", "url": "https://github.com/hierynomus/sshj/issues/916" }, { "title": "https://github.com/janmojzis/tinyssh/issues/81", "url": "https://github.com/janmojzis/tinyssh/issues/81" }, { "title": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES" }, { "title": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16", "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16" }, { "title": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "title": "https://www.debian.org/security/2023/dsa-5586", "url": "https://www.debian.org/security/2023/dsa-5586" }, { "title": "https://filezilla-project.org/versions.php", "url": "https://filezilla-project.org/versions.php" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta" }, { "title": "https://github.com/cyd01/KiTTY/issues/520", "url": "https://github.com/cyd01/KiTTY/issues/520" }, { "title": "https://help.panic.com/releasenotes/transmit5/", "url": "https://help.panic.com/releasenotes/transmit5/" }, { "title": "https://nova.app/releases/%23v11.8", "url": "https://nova.app/releases/%23v11.8" }, { "title": "https://roumenpetrov.info/secsh/%23news20231220", "url": "https://roumenpetrov.info/secsh/%23news20231220" }, { "title": "https://winscp.net/eng/docs/history%236.2.2", "url": "https://winscp.net/eng/docs/history%236.2.2" }, { "title": "https://www.bitvise.com/ssh-client-version-history%23933", "url": "https://www.bitvise.com/ssh-client-version-history%23933" }, { "title": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508", "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508" }, { "title": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh" }, { "title": "https://www.vandyke.com/products/securecrt/history.txt", "url": "https://www.vandyke.com/products/securecrt/history.txt" }, { "title": "https://www.debian.org/security/2023/dsa-5588", "url": "https://www.debian.org/security/2023/dsa-5588" }, { "title": "https://github.com/ssh-mitm/ssh-mitm/issues/165", "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165" }, { "title": "https://news.ycombinator.com/item?id=38732005", "url": "https://news.ycombinator.com/item?id=38732005" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" }, { "title": "https://security.gentoo.org/glsa/202312-16", "url": "https://security.gentoo.org/glsa/202312-16" }, { "title": "https://security.gentoo.org/glsa/202312-17", "url": "https://security.gentoo.org/glsa/202312-17" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<9.3_p2-r1" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Validation of Integrity Check Value", "upgradePath": [ false, "openssh/openssh-client-default@9.3_p2-r1" ], "version": "9.3_p2-r0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/runner:a197c9e", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e", "severityThreshold": "medium", "summary": "No known operating system vulnerabilities", "uniqueCount": 0, "vulnerabilities": [] }, "created_at": 1705137379.6959307, "has_audit_package": true } }, "reported_by": "ci-pipelines", "git_commit_info": { "sha1": "a197c9ead0c2671dd50f88bd2ea145c8a456038b", "message": "Update dependent language-test-framework images used in tests", "author": "JonJagger <jon@kosli.com>", "timestamp": 1705055721, "branch": "main" }, "repo_url": "https://github.com/cyber-dojo/runner", "template": [ "artifact", "branch-coverage", "snyk-scan" ], "last_modified_at": 1705137379.6959307, "deployments": [ 73, 72 ], "state": "COMPLIANT", "html_url": "https://app.kosli.com/cyber-dojo/flows/runner-archived-at-1709658802/artifacts/b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de", "api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/runner-archived-at-1709658802/fingerprint/b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de" }
Artifact Information |
|
Name | cyberdojo/runner:a197c9e |
Fingerprint | b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de |
Git commit |
a197c9e
JonJagger <jon@kosli.com> (main)
1705055721.0 • 3 months ago
Update dependent language-test-framework images used in tests
|
CI Build | https://github.com/cyber-dojo/runner/actions/runs/7501019747 |
Running | - |
Exited | aws-beta#2840 aws-prod#1976 |
Last modified | 1705137379.6959307 • 3 months ago |
Approvals
None |
Evidence
Evidence for 'branch-coverage'
{ "evidence_type": "generic", "name": "branch-coverage", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/runner/actions/runs/7501019747", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 15, "missed": 37, "total": 52 }, "lines": { "covered": 257, "missed": 85, "total": 342 } }, "code": { "branches": { "covered": 6, "missed": 0, "total": 6 }, "lines": { "covered": 129, "missed": 0, "total": 129 } }, "test": { "branches": { "covered": 5, "missed": 0, "total": 5 }, "lines": { "covered": 529, "missed": 0, "total": 529 } } }, "timestamp": 1705055859 }, "server": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 33, "missed": 19, "total": 52 }, "lines": { "covered": 333, "missed": 25, "total": 358 } }, "code": { "branches": { "covered": 64, "missed": 2, "total": 66 }, "lines": { "covered": 558, "missed": 1, "total": 559 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 963, "missed": 0, "total": 963 } } }, "timestamp": 1705055820 } }, "created_at": 1705055861.4070947, "has_audit_package": false }
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/7511552703", "evidence_archive_fingerprint": "14fad23b2f52a7608f4a6c90cc79cf74e54d5963b32e8084a364474d33dad727", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/containerd/containerd/cmd/containerd", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd-shim-runc-v2", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/containerd/containerd/cmd/containerd-shim-runc-v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd-shim-runc-v2", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd-shim-runc-v2", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/ctr", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/containerd/containerd/cmd/ctr", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/ctr", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/ctr", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 3, "displayTargetFile": "/usr/local/bin/docker-proxy", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/docker-proxy", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 833, "displayTargetFile": "/usr/local/bin/dockerd", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected `chacha20-poly1305@openssh.com` encryption and `*-etm@openssh.com` MAC algorithms in the affected configuration, and use unaffected algorithms like `AES-GCM` instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97023", "probability": "0.43479" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/docker@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2024-01-01T09:00:03.647231Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-03-01T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/docker@*", "google.golang.org/grpc@v1.50.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.50.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/docker@*", "google.golang.org/protobuf/encoding/protojson@v1.28.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.28.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-03-01T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-03-01T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-03-01T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/bin/dockerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 753, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected `chacha20-poly1305@openssh.com` encryption and `*-etm@openssh.com` MAC algorithms in the affected configuration, and use unaffected algorithms like `AES-GCM` instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97023", "probability": "0.43479" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/compose/v2@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2024-01-01T09:00:03.647231Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/compose/v2@*", "google.golang.org/protobuf/encoding/protojson@v1.31.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.31.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-03-01T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-03-01T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-03-01T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/docker/compose/v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/compose/v2", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 723, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected `chacha20-poly1305@openssh.com` encryption and `*-etm@openssh.com` MAC algorithms in the affected configuration, and use unaffected algorithms like `AES-GCM` instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97023", "probability": "0.43479" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/buildx@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2024-01-01T09:00:03.647231Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-03-01T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/grpc@v1.53.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.53.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/protobuf/encoding/protojson@v1.30.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.30.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-03-01T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-03-01T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-03-01T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/docker/buildx", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/buildx", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 102, "docker": { "baseImage": "docker:24.0.7-dind-alpine3.18", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" }, "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "cpes": [], "creationTime": "2023-12-25T14:53:44.722360Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssh` package and not the `openssh` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.\n## Remediation\nUpgrade `Alpine:3.18` `openssh` to version 9.3_p2-r1 or higher.\n## References\n- [cve@mitre.org](https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42)\n- [cve@mitre.org](https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25)\n- [cve@mitre.org](https://github.com/openssh/openssh-portable/commits/master)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/tags)\n- [cve@mitre.org](https://gitlab.com/libssh/libssh-mirror/-/tags)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ)\n- [cve@mitre.org](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/)\n- [cve@mitre.org](https://matt.ucc.asn.au/dropbear/CHANGES)\n- [cve@mitre.org](https://www.bitvise.com/ssh-server-version-history)\n- [cve@mitre.org](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html)\n- [cve@mitre.org](https://www.openssh.com/openbsd.html)\n- [cve@mitre.org](https://www.openssh.com/txt/release-9.6)\n- [cve@mitre.org](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/)\n- [cve@mitre.org](https://www.terrapin-attack.com)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [cve@mitre.org](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst)\n- [cve@mitre.org](https://github.com/warp-tech/russh/releases/tag/v0.40.2)\n- [cve@mitre.org](https://thorntech.com/cve-2023-48795-and-sftp-gateway/)\n- [cve@mitre.org](https://twitter.com/TrueSkrillor/status/1736774389725565005)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/18/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/18/3)\n- [cve@mitre.org](https://github.com/paramiko/paramiko/issues/2337)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38684904)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38685286)\n- [cve@mitre.org](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6)\n- [cve@mitre.org](https://github.com/mwiede/jsch/issues/457)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-48795)\n- [cve@mitre.org](https://bugs.gentoo.org/920280)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2254210)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1217950)\n- [cve@mitre.org](https://github.com/advisories/GHSA-45x7-px36-x8w8)\n- [cve@mitre.org](https://github.com/drakkan/sftpgo/releases/tag/v2.5.6)\n- [cve@mitre.org](https://github.com/erlang/otp/releases/tag/OTP-26.2.1)\n- [cve@mitre.org](https://github.com/mwiede/jsch/pull/461)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/CVE-2023-48795)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/libssh2)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-48795)\n- [cve@mitre.org](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/)\n- [cve@mitre.org](https://github.com/libssh2/libssh2/pull/1291)\n- [cve@mitre.org](https://forum.netgate.com/topic/184941/terrapin-ssh-attack)\n- [cve@mitre.org](https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5)\n- [cve@mitre.org](https://github.com/rapier1/hpn-ssh/releases)\n- [cve@mitre.org](https://crates.io/crates/thrussh/versions)\n- [cve@mitre.org](https://github.com/NixOS/nixpkgs/pull/275249)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/releases/tag/v5.1)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22)\n- [cve@mitre.org](https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3)\n- [cve@mitre.org](https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/issues/456)\n- [cve@mitre.org](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC)\n- [cve@mitre.org](https://oryx-embedded.com/download/#changelog)\n- [cve@mitre.org](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update)\n- [cve@mitre.org](https://www.netsarang.com/en/xshell-update-history/)\n- [cve@mitre.org](https://www.paramiko.org/changelog.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/19/5)\n- [cve@mitre.org](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc)\n- [cve@mitre.org](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](https://github.com/apache/mina-sshd/issues/445)\n- [cve@mitre.org](https://github.com/hierynomus/sshj/issues/916)\n- [cve@mitre.org](https://github.com/janmojzis/tinyssh/issues/81)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5586)\n- [cve@mitre.org](https://filezilla-project.org/versions.php)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/issues/2189)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta)\n- [cve@mitre.org](https://github.com/cyd01/KiTTY/issues/520)\n- [cve@mitre.org](https://help.panic.com/releasenotes/transmit5/)\n- [cve@mitre.org](https://nova.app/releases/#v11.8)\n- [cve@mitre.org](https://roumenpetrov.info/secsh/#news20231220)\n- [cve@mitre.org](https://winscp.net/eng/docs/history#6.2.2)\n- [cve@mitre.org](https://www.bitvise.com/ssh-client-version-history#933)\n- [cve@mitre.org](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508)\n- [cve@mitre.org](https://www.theregister.com/2023/12/20/terrapin_attack_ssh)\n- [cve@mitre.org](https://www.vandyke.com/products/securecrt/history.txt)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5588)\n- [cve@mitre.org](https://github.com/ssh-mitm/ssh-mitm/issues/165)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38732005)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-16)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-17)\n", "disclosureTime": "2023-12-18T16:15:10.897000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.83233", "probability": "0.01153" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-28T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "9.3_p2-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@*", "openssh/openssh-client-common@9.3_p2-r0" ], "id": "SNYK-ALPINE318-OPENSSH-6139287", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-354" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-12-29T01:11:20.311137Z", "name": "openssh/openssh-client-common", "nearestFixedInVersion": "9.3_p2-r1", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "openssh", "patches": [], "publicationTime": "2023-12-25T14:53:44.730576Z", "references": [ { "title": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42", "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42" }, { "title": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25", "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25" }, { "title": "https://github.com/openssh/openssh-portable/commits/master", "url": "https://github.com/openssh/openssh-portable/commits/master" }, { "title": "https://github.com/ronf/asyncssh/tags", "url": "https://github.com/ronf/asyncssh/tags" }, { "title": "https://gitlab.com/libssh/libssh-mirror/-/tags", "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" }, { "title": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" }, { "title": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/" }, { "title": "https://matt.ucc.asn.au/dropbear/CHANGES", "url": "https://matt.ucc.asn.au/dropbear/CHANGES" }, { "title": "https://www.bitvise.com/ssh-server-version-history", "url": "https://www.bitvise.com/ssh-server-version-history" }, { "title": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html" }, { "title": "https://www.openssh.com/openbsd.html", "url": "https://www.openssh.com/openbsd.html" }, { "title": "https://www.openssh.com/txt/release-9.6", "url": "https://www.openssh.com/txt/release-9.6" }, { "title": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" }, { "title": "https://www.terrapin-attack.com", "url": "https://www.terrapin-attack.com" }, { "title": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst" }, { "title": "https://github.com/warp-tech/russh/releases/tag/v0.40.2", "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2" }, { "title": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/" }, { "title": "https://twitter.com/TrueSkrillor/status/1736774389725565005", "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/18/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3" }, { "title": "https://github.com/paramiko/paramiko/issues/2337", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "https://news.ycombinator.com/item?id=38684904", "url": "https://news.ycombinator.com/item?id=38684904" }, { "title": "https://news.ycombinator.com/item?id=38685286", "url": "https://news.ycombinator.com/item?id=38685286" }, { "title": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" }, { "title": "https://github.com/mwiede/jsch/issues/457", "url": "https://github.com/mwiede/jsch/issues/457" }, { "title": "https://access.redhat.com/security/cve/cve-2023-48795", "url": "https://access.redhat.com/security/cve/cve-2023-48795" }, { "title": "https://bugs.gentoo.org/920280", "url": "https://bugs.gentoo.org/920280" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1217950", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" }, { "title": "https://github.com/advisories/GHSA-45x7-px36-x8w8", "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" }, { "title": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6" }, { "title": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1" }, { "title": "https://github.com/mwiede/jsch/pull/461", "url": "https://github.com/mwiede/jsch/pull/461" }, { "title": "https://security-tracker.debian.org/tracker/CVE-2023-48795", "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" }, { "title": "https://security-tracker.debian.org/tracker/source-package/libssh2", "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" }, { "title": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" }, { "title": "https://ubuntu.com/security/CVE-2023-48795", "url": "https://ubuntu.com/security/CVE-2023-48795" }, { "title": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" }, { "title": "https://github.com/libssh2/libssh2/pull/1291", "url": "https://github.com/libssh2/libssh2/pull/1291" }, { "title": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" }, { "title": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5" }, { "title": "https://github.com/rapier1/hpn-ssh/releases", "url": "https://github.com/rapier1/hpn-ssh/releases" }, { "title": "https://crates.io/crates/thrussh/versions", "url": "https://crates.io/crates/thrussh/versions" }, { "title": "https://github.com/NixOS/nixpkgs/pull/275249", "url": "https://github.com/NixOS/nixpkgs/pull/275249" }, { "title": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1" }, { "title": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab" }, { "title": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22" }, { "title": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3" }, { "title": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15" }, { "title": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/issues/456", "url": "https://github.com/proftpd/proftpd/issues/456" }, { "title": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC" }, { "title": "https://oryx-embedded.com/download/%23changelog", "url": "https://oryx-embedded.com/download/%23changelog" }, { "title": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update" }, { "title": "https://www.netsarang.com/en/xshell-update-history/", "url": "https://www.netsarang.com/en/xshell-update-history/" }, { "title": "https://www.paramiko.org/changelog.html", "url": "https://www.paramiko.org/changelog.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/19/5", "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5" }, { "title": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" }, { "title": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "https://github.com/apache/mina-sshd/issues/445", "url": "https://github.com/apache/mina-sshd/issues/445" }, { "title": "https://github.com/hierynomus/sshj/issues/916", "url": "https://github.com/hierynomus/sshj/issues/916" }, { "title": "https://github.com/janmojzis/tinyssh/issues/81", "url": "https://github.com/janmojzis/tinyssh/issues/81" }, { "title": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES" }, { "title": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16", "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16" }, { "title": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "title": "https://www.debian.org/security/2023/dsa-5586", "url": "https://www.debian.org/security/2023/dsa-5586" }, { "title": "https://filezilla-project.org/versions.php", "url": "https://filezilla-project.org/versions.php" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta" }, { "title": "https://github.com/cyd01/KiTTY/issues/520", "url": "https://github.com/cyd01/KiTTY/issues/520" }, { "title": "https://help.panic.com/releasenotes/transmit5/", "url": "https://help.panic.com/releasenotes/transmit5/" }, { "title": "https://nova.app/releases/%23v11.8", "url": "https://nova.app/releases/%23v11.8" }, { "title": "https://roumenpetrov.info/secsh/%23news20231220", "url": "https://roumenpetrov.info/secsh/%23news20231220" }, { "title": "https://winscp.net/eng/docs/history%236.2.2", "url": "https://winscp.net/eng/docs/history%236.2.2" }, { "title": "https://www.bitvise.com/ssh-client-version-history%23933", "url": "https://www.bitvise.com/ssh-client-version-history%23933" }, { "title": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508", "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508" }, { "title": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh" }, { "title": "https://www.vandyke.com/products/securecrt/history.txt", "url": "https://www.vandyke.com/products/securecrt/history.txt" }, { "title": "https://www.debian.org/security/2023/dsa-5588", "url": "https://www.debian.org/security/2023/dsa-5588" }, { "title": "https://github.com/ssh-mitm/ssh-mitm/issues/165", "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165" }, { "title": "https://news.ycombinator.com/item?id=38732005", "url": "https://news.ycombinator.com/item?id=38732005" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" }, { "title": "https://security.gentoo.org/glsa/202312-16", "url": "https://security.gentoo.org/glsa/202312-16" }, { "title": "https://security.gentoo.org/glsa/202312-17", "url": "https://security.gentoo.org/glsa/202312-17" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<9.3_p2-r1" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Validation of Integrity Check Value", "upgradePath": [ false, "openssh/openssh-client-common@9.3_p2-r1" ], "version": "9.3_p2-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "cpes": [], "creationTime": "2023-12-25T14:53:44.722360Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssh` package and not the `openssh` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.\n## Remediation\nUpgrade `Alpine:3.18` `openssh` to version 9.3_p2-r1 or higher.\n## References\n- [cve@mitre.org](https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42)\n- [cve@mitre.org](https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25)\n- [cve@mitre.org](https://github.com/openssh/openssh-portable/commits/master)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/tags)\n- [cve@mitre.org](https://gitlab.com/libssh/libssh-mirror/-/tags)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ)\n- [cve@mitre.org](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/)\n- [cve@mitre.org](https://matt.ucc.asn.au/dropbear/CHANGES)\n- [cve@mitre.org](https://www.bitvise.com/ssh-server-version-history)\n- [cve@mitre.org](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html)\n- [cve@mitre.org](https://www.openssh.com/openbsd.html)\n- [cve@mitre.org](https://www.openssh.com/txt/release-9.6)\n- [cve@mitre.org](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/)\n- [cve@mitre.org](https://www.terrapin-attack.com)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [cve@mitre.org](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst)\n- [cve@mitre.org](https://github.com/warp-tech/russh/releases/tag/v0.40.2)\n- [cve@mitre.org](https://thorntech.com/cve-2023-48795-and-sftp-gateway/)\n- [cve@mitre.org](https://twitter.com/TrueSkrillor/status/1736774389725565005)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/18/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/18/3)\n- [cve@mitre.org](https://github.com/paramiko/paramiko/issues/2337)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38684904)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38685286)\n- [cve@mitre.org](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6)\n- [cve@mitre.org](https://github.com/mwiede/jsch/issues/457)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-48795)\n- [cve@mitre.org](https://bugs.gentoo.org/920280)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2254210)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1217950)\n- [cve@mitre.org](https://github.com/advisories/GHSA-45x7-px36-x8w8)\n- [cve@mitre.org](https://github.com/drakkan/sftpgo/releases/tag/v2.5.6)\n- [cve@mitre.org](https://github.com/erlang/otp/releases/tag/OTP-26.2.1)\n- [cve@mitre.org](https://github.com/mwiede/jsch/pull/461)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/CVE-2023-48795)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/libssh2)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-48795)\n- [cve@mitre.org](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/)\n- [cve@mitre.org](https://github.com/libssh2/libssh2/pull/1291)\n- [cve@mitre.org](https://forum.netgate.com/topic/184941/terrapin-ssh-attack)\n- [cve@mitre.org](https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5)\n- [cve@mitre.org](https://github.com/rapier1/hpn-ssh/releases)\n- [cve@mitre.org](https://crates.io/crates/thrussh/versions)\n- [cve@mitre.org](https://github.com/NixOS/nixpkgs/pull/275249)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/releases/tag/v5.1)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22)\n- [cve@mitre.org](https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3)\n- [cve@mitre.org](https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/issues/456)\n- [cve@mitre.org](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC)\n- [cve@mitre.org](https://oryx-embedded.com/download/#changelog)\n- [cve@mitre.org](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update)\n- [cve@mitre.org](https://www.netsarang.com/en/xshell-update-history/)\n- [cve@mitre.org](https://www.paramiko.org/changelog.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/19/5)\n- [cve@mitre.org](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc)\n- [cve@mitre.org](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](https://github.com/apache/mina-sshd/issues/445)\n- [cve@mitre.org](https://github.com/hierynomus/sshj/issues/916)\n- [cve@mitre.org](https://github.com/janmojzis/tinyssh/issues/81)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5586)\n- [cve@mitre.org](https://filezilla-project.org/versions.php)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/issues/2189)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta)\n- [cve@mitre.org](https://github.com/cyd01/KiTTY/issues/520)\n- [cve@mitre.org](https://help.panic.com/releasenotes/transmit5/)\n- [cve@mitre.org](https://nova.app/releases/#v11.8)\n- [cve@mitre.org](https://roumenpetrov.info/secsh/#news20231220)\n- [cve@mitre.org](https://winscp.net/eng/docs/history#6.2.2)\n- [cve@mitre.org](https://www.bitvise.com/ssh-client-version-history#933)\n- [cve@mitre.org](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508)\n- [cve@mitre.org](https://www.theregister.com/2023/12/20/terrapin_attack_ssh)\n- [cve@mitre.org](https://www.vandyke.com/products/securecrt/history.txt)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5588)\n- [cve@mitre.org](https://github.com/ssh-mitm/ssh-mitm/issues/165)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38732005)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-16)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-17)\n", "disclosureTime": "2023-12-18T16:15:10.897000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.83233", "probability": "0.01153" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-28T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "9.3_p2-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@*", "openssh/openssh-client-default@9.3_p2-r0", "openssh/openssh-client-common@9.3_p2-r0" ], "id": "SNYK-ALPINE318-OPENSSH-6139287", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-354" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-29T01:11:20.311137Z", "name": "openssh/openssh-client-common", "nearestFixedInVersion": "9.3_p2-r1", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "openssh", "patches": [], "publicationTime": "2023-12-25T14:53:44.730576Z", "references": [ { "title": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42", "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42" }, { "title": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25", "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25" }, { "title": "https://github.com/openssh/openssh-portable/commits/master", "url": "https://github.com/openssh/openssh-portable/commits/master" }, { "title": "https://github.com/ronf/asyncssh/tags", "url": "https://github.com/ronf/asyncssh/tags" }, { "title": "https://gitlab.com/libssh/libssh-mirror/-/tags", "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" }, { "title": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" }, { "title": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/" }, { "title": "https://matt.ucc.asn.au/dropbear/CHANGES", "url": "https://matt.ucc.asn.au/dropbear/CHANGES" }, { "title": "https://www.bitvise.com/ssh-server-version-history", "url": "https://www.bitvise.com/ssh-server-version-history" }, { "title": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html" }, { "title": "https://www.openssh.com/openbsd.html", "url": "https://www.openssh.com/openbsd.html" }, { "title": "https://www.openssh.com/txt/release-9.6", "url": "https://www.openssh.com/txt/release-9.6" }, { "title": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" }, { "title": "https://www.terrapin-attack.com", "url": "https://www.terrapin-attack.com" }, { "title": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst" }, { "title": "https://github.com/warp-tech/russh/releases/tag/v0.40.2", "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2" }, { "title": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/" }, { "title": "https://twitter.com/TrueSkrillor/status/1736774389725565005", "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/18/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3" }, { "title": "https://github.com/paramiko/paramiko/issues/2337", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "https://news.ycombinator.com/item?id=38684904", "url": "https://news.ycombinator.com/item?id=38684904" }, { "title": "https://news.ycombinator.com/item?id=38685286", "url": "https://news.ycombinator.com/item?id=38685286" }, { "title": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" }, { "title": "https://github.com/mwiede/jsch/issues/457", "url": "https://github.com/mwiede/jsch/issues/457" }, { "title": "https://access.redhat.com/security/cve/cve-2023-48795", "url": "https://access.redhat.com/security/cve/cve-2023-48795" }, { "title": "https://bugs.gentoo.org/920280", "url": "https://bugs.gentoo.org/920280" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1217950", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" }, { "title": "https://github.com/advisories/GHSA-45x7-px36-x8w8", "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" }, { "title": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6" }, { "title": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1" }, { "title": "https://github.com/mwiede/jsch/pull/461", "url": "https://github.com/mwiede/jsch/pull/461" }, { "title": "https://security-tracker.debian.org/tracker/CVE-2023-48795", "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" }, { "title": "https://security-tracker.debian.org/tracker/source-package/libssh2", "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" }, { "title": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" }, { "title": "https://ubuntu.com/security/CVE-2023-48795", "url": "https://ubuntu.com/security/CVE-2023-48795" }, { "title": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" }, { "title": "https://github.com/libssh2/libssh2/pull/1291", "url": "https://github.com/libssh2/libssh2/pull/1291" }, { "title": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" }, { "title": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5" }, { "title": "https://github.com/rapier1/hpn-ssh/releases", "url": "https://github.com/rapier1/hpn-ssh/releases" }, { "title": "https://crates.io/crates/thrussh/versions", "url": "https://crates.io/crates/thrussh/versions" }, { "title": "https://github.com/NixOS/nixpkgs/pull/275249", "url": "https://github.com/NixOS/nixpkgs/pull/275249" }, { "title": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1" }, { "title": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab" }, { "title": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22" }, { "title": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3" }, { "title": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15" }, { "title": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/issues/456", "url": "https://github.com/proftpd/proftpd/issues/456" }, { "title": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC" }, { "title": "https://oryx-embedded.com/download/%23changelog", "url": "https://oryx-embedded.com/download/%23changelog" }, { "title": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update" }, { "title": "https://www.netsarang.com/en/xshell-update-history/", "url": "https://www.netsarang.com/en/xshell-update-history/" }, { "title": "https://www.paramiko.org/changelog.html", "url": "https://www.paramiko.org/changelog.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/19/5", "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5" }, { "title": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" }, { "title": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "https://github.com/apache/mina-sshd/issues/445", "url": "https://github.com/apache/mina-sshd/issues/445" }, { "title": "https://github.com/hierynomus/sshj/issues/916", "url": "https://github.com/hierynomus/sshj/issues/916" }, { "title": "https://github.com/janmojzis/tinyssh/issues/81", "url": "https://github.com/janmojzis/tinyssh/issues/81" }, { "title": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES" }, { "title": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16", "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16" }, { "title": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "title": "https://www.debian.org/security/2023/dsa-5586", "url": "https://www.debian.org/security/2023/dsa-5586" }, { "title": "https://filezilla-project.org/versions.php", "url": "https://filezilla-project.org/versions.php" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta" }, { "title": "https://github.com/cyd01/KiTTY/issues/520", "url": "https://github.com/cyd01/KiTTY/issues/520" }, { "title": "https://help.panic.com/releasenotes/transmit5/", "url": "https://help.panic.com/releasenotes/transmit5/" }, { "title": "https://nova.app/releases/%23v11.8", "url": "https://nova.app/releases/%23v11.8" }, { "title": "https://roumenpetrov.info/secsh/%23news20231220", "url": "https://roumenpetrov.info/secsh/%23news20231220" }, { "title": "https://winscp.net/eng/docs/history%236.2.2", "url": "https://winscp.net/eng/docs/history%236.2.2" }, { "title": "https://www.bitvise.com/ssh-client-version-history%23933", "url": "https://www.bitvise.com/ssh-client-version-history%23933" }, { "title": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508", "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508" }, { "title": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh" }, { "title": "https://www.vandyke.com/products/securecrt/history.txt", "url": "https://www.vandyke.com/products/securecrt/history.txt" }, { "title": "https://www.debian.org/security/2023/dsa-5588", "url": "https://www.debian.org/security/2023/dsa-5588" }, { "title": "https://github.com/ssh-mitm/ssh-mitm/issues/165", "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165" }, { "title": "https://news.ycombinator.com/item?id=38732005", "url": "https://news.ycombinator.com/item?id=38732005" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" }, { "title": "https://security.gentoo.org/glsa/202312-16", "url": "https://security.gentoo.org/glsa/202312-16" }, { "title": "https://security.gentoo.org/glsa/202312-17", "url": "https://security.gentoo.org/glsa/202312-17" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<9.3_p2-r1" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Validation of Integrity Check Value", "upgradePath": [], "version": "9.3_p2-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "cpes": [], "creationTime": "2023-12-25T14:53:44.722360Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssh` package and not the `openssh` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.\n## Remediation\nUpgrade `Alpine:3.18` `openssh` to version 9.3_p2-r1 or higher.\n## References\n- [cve@mitre.org](https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42)\n- [cve@mitre.org](https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25)\n- [cve@mitre.org](https://github.com/openssh/openssh-portable/commits/master)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/tags)\n- [cve@mitre.org](https://gitlab.com/libssh/libssh-mirror/-/tags)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ)\n- [cve@mitre.org](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/)\n- [cve@mitre.org](https://matt.ucc.asn.au/dropbear/CHANGES)\n- [cve@mitre.org](https://www.bitvise.com/ssh-server-version-history)\n- [cve@mitre.org](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html)\n- [cve@mitre.org](https://www.openssh.com/openbsd.html)\n- [cve@mitre.org](https://www.openssh.com/txt/release-9.6)\n- [cve@mitre.org](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/)\n- [cve@mitre.org](https://www.terrapin-attack.com)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [cve@mitre.org](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst)\n- [cve@mitre.org](https://github.com/warp-tech/russh/releases/tag/v0.40.2)\n- [cve@mitre.org](https://thorntech.com/cve-2023-48795-and-sftp-gateway/)\n- [cve@mitre.org](https://twitter.com/TrueSkrillor/status/1736774389725565005)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/18/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/18/3)\n- [cve@mitre.org](https://github.com/paramiko/paramiko/issues/2337)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38684904)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38685286)\n- [cve@mitre.org](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6)\n- [cve@mitre.org](https://github.com/mwiede/jsch/issues/457)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-48795)\n- [cve@mitre.org](https://bugs.gentoo.org/920280)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2254210)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1217950)\n- [cve@mitre.org](https://github.com/advisories/GHSA-45x7-px36-x8w8)\n- [cve@mitre.org](https://github.com/drakkan/sftpgo/releases/tag/v2.5.6)\n- [cve@mitre.org](https://github.com/erlang/otp/releases/tag/OTP-26.2.1)\n- [cve@mitre.org](https://github.com/mwiede/jsch/pull/461)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/CVE-2023-48795)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/libssh2)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-48795)\n- [cve@mitre.org](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/)\n- [cve@mitre.org](https://github.com/libssh2/libssh2/pull/1291)\n- [cve@mitre.org](https://forum.netgate.com/topic/184941/terrapin-ssh-attack)\n- [cve@mitre.org](https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5)\n- [cve@mitre.org](https://github.com/rapier1/hpn-ssh/releases)\n- [cve@mitre.org](https://crates.io/crates/thrussh/versions)\n- [cve@mitre.org](https://github.com/NixOS/nixpkgs/pull/275249)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/releases/tag/v5.1)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22)\n- [cve@mitre.org](https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3)\n- [cve@mitre.org](https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/issues/456)\n- [cve@mitre.org](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC)\n- [cve@mitre.org](https://oryx-embedded.com/download/#changelog)\n- [cve@mitre.org](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update)\n- [cve@mitre.org](https://www.netsarang.com/en/xshell-update-history/)\n- [cve@mitre.org](https://www.paramiko.org/changelog.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/19/5)\n- [cve@mitre.org](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc)\n- [cve@mitre.org](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](https://github.com/apache/mina-sshd/issues/445)\n- [cve@mitre.org](https://github.com/hierynomus/sshj/issues/916)\n- [cve@mitre.org](https://github.com/janmojzis/tinyssh/issues/81)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5586)\n- [cve@mitre.org](https://filezilla-project.org/versions.php)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/issues/2189)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta)\n- [cve@mitre.org](https://github.com/cyd01/KiTTY/issues/520)\n- [cve@mitre.org](https://help.panic.com/releasenotes/transmit5/)\n- [cve@mitre.org](https://nova.app/releases/#v11.8)\n- [cve@mitre.org](https://roumenpetrov.info/secsh/#news20231220)\n- [cve@mitre.org](https://winscp.net/eng/docs/history#6.2.2)\n- [cve@mitre.org](https://www.bitvise.com/ssh-client-version-history#933)\n- [cve@mitre.org](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508)\n- [cve@mitre.org](https://www.theregister.com/2023/12/20/terrapin_attack_ssh)\n- [cve@mitre.org](https://www.vandyke.com/products/securecrt/history.txt)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5588)\n- [cve@mitre.org](https://github.com/ssh-mitm/ssh-mitm/issues/165)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38732005)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-16)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-17)\n", "disclosureTime": "2023-12-18T16:15:10.897000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.83233", "probability": "0.01153" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-28T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "9.3_p2-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@*", "openssh/openssh-keygen@9.3_p2-r0" ], "id": "SNYK-ALPINE318-OPENSSH-6139287", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-354" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-12-29T01:11:20.311137Z", "name": "openssh/openssh-keygen", "nearestFixedInVersion": "9.3_p2-r1", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "openssh", "patches": [], "publicationTime": "2023-12-25T14:53:44.730576Z", "references": [ { "title": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42", "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42" }, { "title": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25", "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25" }, { "title": "https://github.com/openssh/openssh-portable/commits/master", "url": "https://github.com/openssh/openssh-portable/commits/master" }, { "title": "https://github.com/ronf/asyncssh/tags", "url": "https://github.com/ronf/asyncssh/tags" }, { "title": "https://gitlab.com/libssh/libssh-mirror/-/tags", "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" }, { "title": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" }, { "title": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/" }, { "title": "https://matt.ucc.asn.au/dropbear/CHANGES", "url": "https://matt.ucc.asn.au/dropbear/CHANGES" }, { "title": "https://www.bitvise.com/ssh-server-version-history", "url": "https://www.bitvise.com/ssh-server-version-history" }, { "title": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html" }, { "title": "https://www.openssh.com/openbsd.html", "url": "https://www.openssh.com/openbsd.html" }, { "title": "https://www.openssh.com/txt/release-9.6", "url": "https://www.openssh.com/txt/release-9.6" }, { "title": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" }, { "title": "https://www.terrapin-attack.com", "url": "https://www.terrapin-attack.com" }, { "title": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst" }, { "title": "https://github.com/warp-tech/russh/releases/tag/v0.40.2", "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2" }, { "title": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/" }, { "title": "https://twitter.com/TrueSkrillor/status/1736774389725565005", "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/18/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3" }, { "title": "https://github.com/paramiko/paramiko/issues/2337", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "https://news.ycombinator.com/item?id=38684904", "url": "https://news.ycombinator.com/item?id=38684904" }, { "title": "https://news.ycombinator.com/item?id=38685286", "url": "https://news.ycombinator.com/item?id=38685286" }, { "title": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" }, { "title": "https://github.com/mwiede/jsch/issues/457", "url": "https://github.com/mwiede/jsch/issues/457" }, { "title": "https://access.redhat.com/security/cve/cve-2023-48795", "url": "https://access.redhat.com/security/cve/cve-2023-48795" }, { "title": "https://bugs.gentoo.org/920280", "url": "https://bugs.gentoo.org/920280" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1217950", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" }, { "title": "https://github.com/advisories/GHSA-45x7-px36-x8w8", "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" }, { "title": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6" }, { "title": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1" }, { "title": "https://github.com/mwiede/jsch/pull/461", "url": "https://github.com/mwiede/jsch/pull/461" }, { "title": "https://security-tracker.debian.org/tracker/CVE-2023-48795", "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" }, { "title": "https://security-tracker.debian.org/tracker/source-package/libssh2", "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" }, { "title": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" }, { "title": "https://ubuntu.com/security/CVE-2023-48795", "url": "https://ubuntu.com/security/CVE-2023-48795" }, { "title": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" }, { "title": "https://github.com/libssh2/libssh2/pull/1291", "url": "https://github.com/libssh2/libssh2/pull/1291" }, { "title": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" }, { "title": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5" }, { "title": "https://github.com/rapier1/hpn-ssh/releases", "url": "https://github.com/rapier1/hpn-ssh/releases" }, { "title": "https://crates.io/crates/thrussh/versions", "url": "https://crates.io/crates/thrussh/versions" }, { "title": "https://github.com/NixOS/nixpkgs/pull/275249", "url": "https://github.com/NixOS/nixpkgs/pull/275249" }, { "title": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1" }, { "title": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab" }, { "title": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22" }, { "title": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3" }, { "title": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15" }, { "title": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/issues/456", "url": "https://github.com/proftpd/proftpd/issues/456" }, { "title": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC" }, { "title": "https://oryx-embedded.com/download/%23changelog", "url": "https://oryx-embedded.com/download/%23changelog" }, { "title": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update" }, { "title": "https://www.netsarang.com/en/xshell-update-history/", "url": "https://www.netsarang.com/en/xshell-update-history/" }, { "title": "https://www.paramiko.org/changelog.html", "url": "https://www.paramiko.org/changelog.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/19/5", "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5" }, { "title": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" }, { "title": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "https://github.com/apache/mina-sshd/issues/445", "url": "https://github.com/apache/mina-sshd/issues/445" }, { "title": "https://github.com/hierynomus/sshj/issues/916", "url": "https://github.com/hierynomus/sshj/issues/916" }, { "title": "https://github.com/janmojzis/tinyssh/issues/81", "url": "https://github.com/janmojzis/tinyssh/issues/81" }, { "title": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES" }, { "title": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16", "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16" }, { "title": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "title": "https://www.debian.org/security/2023/dsa-5586", "url": "https://www.debian.org/security/2023/dsa-5586" }, { "title": "https://filezilla-project.org/versions.php", "url": "https://filezilla-project.org/versions.php" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta" }, { "title": "https://github.com/cyd01/KiTTY/issues/520", "url": "https://github.com/cyd01/KiTTY/issues/520" }, { "title": "https://help.panic.com/releasenotes/transmit5/", "url": "https://help.panic.com/releasenotes/transmit5/" }, { "title": "https://nova.app/releases/%23v11.8", "url": "https://nova.app/releases/%23v11.8" }, { "title": "https://roumenpetrov.info/secsh/%23news20231220", "url": "https://roumenpetrov.info/secsh/%23news20231220" }, { "title": "https://winscp.net/eng/docs/history%236.2.2", "url": "https://winscp.net/eng/docs/history%236.2.2" }, { "title": "https://www.bitvise.com/ssh-client-version-history%23933", "url": "https://www.bitvise.com/ssh-client-version-history%23933" }, { "title": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508", "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508" }, { "title": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh" }, { "title": "https://www.vandyke.com/products/securecrt/history.txt", "url": "https://www.vandyke.com/products/securecrt/history.txt" }, { "title": "https://www.debian.org/security/2023/dsa-5588", "url": "https://www.debian.org/security/2023/dsa-5588" }, { "title": "https://github.com/ssh-mitm/ssh-mitm/issues/165", "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165" }, { "title": "https://news.ycombinator.com/item?id=38732005", "url": "https://news.ycombinator.com/item?id=38732005" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" }, { "title": "https://security.gentoo.org/glsa/202312-16", "url": "https://security.gentoo.org/glsa/202312-16" }, { "title": "https://security.gentoo.org/glsa/202312-17", "url": "https://security.gentoo.org/glsa/202312-17" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<9.3_p2-r1" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Validation of Integrity Check Value", "upgradePath": [ false, "openssh/openssh-keygen@9.3_p2-r1" ], "version": "9.3_p2-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "cpes": [], "creationTime": "2023-12-25T14:53:44.722360Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssh` package and not the `openssh` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.\n## Remediation\nUpgrade `Alpine:3.18` `openssh` to version 9.3_p2-r1 or higher.\n## References\n- [cve@mitre.org](https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42)\n- [cve@mitre.org](https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25)\n- [cve@mitre.org](https://github.com/openssh/openssh-portable/commits/master)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/tags)\n- [cve@mitre.org](https://gitlab.com/libssh/libssh-mirror/-/tags)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ)\n- [cve@mitre.org](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/)\n- [cve@mitre.org](https://matt.ucc.asn.au/dropbear/CHANGES)\n- [cve@mitre.org](https://www.bitvise.com/ssh-server-version-history)\n- [cve@mitre.org](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html)\n- [cve@mitre.org](https://www.openssh.com/openbsd.html)\n- [cve@mitre.org](https://www.openssh.com/txt/release-9.6)\n- [cve@mitre.org](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/)\n- [cve@mitre.org](https://www.terrapin-attack.com)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [cve@mitre.org](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst)\n- [cve@mitre.org](https://github.com/warp-tech/russh/releases/tag/v0.40.2)\n- [cve@mitre.org](https://thorntech.com/cve-2023-48795-and-sftp-gateway/)\n- [cve@mitre.org](https://twitter.com/TrueSkrillor/status/1736774389725565005)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/18/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/18/3)\n- [cve@mitre.org](https://github.com/paramiko/paramiko/issues/2337)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38684904)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38685286)\n- [cve@mitre.org](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6)\n- [cve@mitre.org](https://github.com/mwiede/jsch/issues/457)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-48795)\n- [cve@mitre.org](https://bugs.gentoo.org/920280)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2254210)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1217950)\n- [cve@mitre.org](https://github.com/advisories/GHSA-45x7-px36-x8w8)\n- [cve@mitre.org](https://github.com/drakkan/sftpgo/releases/tag/v2.5.6)\n- [cve@mitre.org](https://github.com/erlang/otp/releases/tag/OTP-26.2.1)\n- [cve@mitre.org](https://github.com/mwiede/jsch/pull/461)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/CVE-2023-48795)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/libssh2)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-48795)\n- [cve@mitre.org](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/)\n- [cve@mitre.org](https://github.com/libssh2/libssh2/pull/1291)\n- [cve@mitre.org](https://forum.netgate.com/topic/184941/terrapin-ssh-attack)\n- [cve@mitre.org](https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5)\n- [cve@mitre.org](https://github.com/rapier1/hpn-ssh/releases)\n- [cve@mitre.org](https://crates.io/crates/thrussh/versions)\n- [cve@mitre.org](https://github.com/NixOS/nixpkgs/pull/275249)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/releases/tag/v5.1)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22)\n- [cve@mitre.org](https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3)\n- [cve@mitre.org](https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/issues/456)\n- [cve@mitre.org](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC)\n- [cve@mitre.org](https://oryx-embedded.com/download/#changelog)\n- [cve@mitre.org](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update)\n- [cve@mitre.org](https://www.netsarang.com/en/xshell-update-history/)\n- [cve@mitre.org](https://www.paramiko.org/changelog.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/19/5)\n- [cve@mitre.org](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc)\n- [cve@mitre.org](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](https://github.com/apache/mina-sshd/issues/445)\n- [cve@mitre.org](https://github.com/hierynomus/sshj/issues/916)\n- [cve@mitre.org](https://github.com/janmojzis/tinyssh/issues/81)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5586)\n- [cve@mitre.org](https://filezilla-project.org/versions.php)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/issues/2189)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta)\n- [cve@mitre.org](https://github.com/cyd01/KiTTY/issues/520)\n- [cve@mitre.org](https://help.panic.com/releasenotes/transmit5/)\n- [cve@mitre.org](https://nova.app/releases/#v11.8)\n- [cve@mitre.org](https://roumenpetrov.info/secsh/#news20231220)\n- [cve@mitre.org](https://winscp.net/eng/docs/history#6.2.2)\n- [cve@mitre.org](https://www.bitvise.com/ssh-client-version-history#933)\n- [cve@mitre.org](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508)\n- [cve@mitre.org](https://www.theregister.com/2023/12/20/terrapin_attack_ssh)\n- [cve@mitre.org](https://www.vandyke.com/products/securecrt/history.txt)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5588)\n- [cve@mitre.org](https://github.com/ssh-mitm/ssh-mitm/issues/165)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38732005)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-16)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-17)\n", "disclosureTime": "2023-12-18T16:15:10.897000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.83233", "probability": "0.01153" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-28T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "9.3_p2-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@*", "openssh/openssh-client-default@9.3_p2-r0", "openssh/openssh-keygen@9.3_p2-r0" ], "id": "SNYK-ALPINE318-OPENSSH-6139287", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-354" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-29T01:11:20.311137Z", "name": "openssh/openssh-keygen", "nearestFixedInVersion": "9.3_p2-r1", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "openssh", "patches": [], "publicationTime": "2023-12-25T14:53:44.730576Z", "references": [ { "title": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42", "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42" }, { "title": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25", "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25" }, { "title": "https://github.com/openssh/openssh-portable/commits/master", "url": "https://github.com/openssh/openssh-portable/commits/master" }, { "title": "https://github.com/ronf/asyncssh/tags", "url": "https://github.com/ronf/asyncssh/tags" }, { "title": "https://gitlab.com/libssh/libssh-mirror/-/tags", "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" }, { "title": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" }, { "title": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/" }, { "title": "https://matt.ucc.asn.au/dropbear/CHANGES", "url": "https://matt.ucc.asn.au/dropbear/CHANGES" }, { "title": "https://www.bitvise.com/ssh-server-version-history", "url": "https://www.bitvise.com/ssh-server-version-history" }, { "title": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html" }, { "title": "https://www.openssh.com/openbsd.html", "url": "https://www.openssh.com/openbsd.html" }, { "title": "https://www.openssh.com/txt/release-9.6", "url": "https://www.openssh.com/txt/release-9.6" }, { "title": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" }, { "title": "https://www.terrapin-attack.com", "url": "https://www.terrapin-attack.com" }, { "title": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst" }, { "title": "https://github.com/warp-tech/russh/releases/tag/v0.40.2", "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2" }, { "title": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/" }, { "title": "https://twitter.com/TrueSkrillor/status/1736774389725565005", "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/18/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3" }, { "title": "https://github.com/paramiko/paramiko/issues/2337", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "https://news.ycombinator.com/item?id=38684904", "url": "https://news.ycombinator.com/item?id=38684904" }, { "title": "https://news.ycombinator.com/item?id=38685286", "url": "https://news.ycombinator.com/item?id=38685286" }, { "title": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" }, { "title": "https://github.com/mwiede/jsch/issues/457", "url": "https://github.com/mwiede/jsch/issues/457" }, { "title": "https://access.redhat.com/security/cve/cve-2023-48795", "url": "https://access.redhat.com/security/cve/cve-2023-48795" }, { "title": "https://bugs.gentoo.org/920280", "url": "https://bugs.gentoo.org/920280" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1217950", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" }, { "title": "https://github.com/advisories/GHSA-45x7-px36-x8w8", "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" }, { "title": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6" }, { "title": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1" }, { "title": "https://github.com/mwiede/jsch/pull/461", "url": "https://github.com/mwiede/jsch/pull/461" }, { "title": "https://security-tracker.debian.org/tracker/CVE-2023-48795", "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" }, { "title": "https://security-tracker.debian.org/tracker/source-package/libssh2", "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" }, { "title": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" }, { "title": "https://ubuntu.com/security/CVE-2023-48795", "url": "https://ubuntu.com/security/CVE-2023-48795" }, { "title": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" }, { "title": "https://github.com/libssh2/libssh2/pull/1291", "url": "https://github.com/libssh2/libssh2/pull/1291" }, { "title": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" }, { "title": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5" }, { "title": "https://github.com/rapier1/hpn-ssh/releases", "url": "https://github.com/rapier1/hpn-ssh/releases" }, { "title": "https://crates.io/crates/thrussh/versions", "url": "https://crates.io/crates/thrussh/versions" }, { "title": "https://github.com/NixOS/nixpkgs/pull/275249", "url": "https://github.com/NixOS/nixpkgs/pull/275249" }, { "title": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1" }, { "title": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab" }, { "title": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22" }, { "title": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3" }, { "title": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15" }, { "title": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/issues/456", "url": "https://github.com/proftpd/proftpd/issues/456" }, { "title": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC" }, { "title": "https://oryx-embedded.com/download/%23changelog", "url": "https://oryx-embedded.com/download/%23changelog" }, { "title": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update" }, { "title": "https://www.netsarang.com/en/xshell-update-history/", "url": "https://www.netsarang.com/en/xshell-update-history/" }, { "title": "https://www.paramiko.org/changelog.html", "url": "https://www.paramiko.org/changelog.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/19/5", "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5" }, { "title": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" }, { "title": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "https://github.com/apache/mina-sshd/issues/445", "url": "https://github.com/apache/mina-sshd/issues/445" }, { "title": "https://github.com/hierynomus/sshj/issues/916", "url": "https://github.com/hierynomus/sshj/issues/916" }, { "title": "https://github.com/janmojzis/tinyssh/issues/81", "url": "https://github.com/janmojzis/tinyssh/issues/81" }, { "title": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES" }, { "title": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16", "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16" }, { "title": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "title": "https://www.debian.org/security/2023/dsa-5586", "url": "https://www.debian.org/security/2023/dsa-5586" }, { "title": "https://filezilla-project.org/versions.php", "url": "https://filezilla-project.org/versions.php" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta" }, { "title": "https://github.com/cyd01/KiTTY/issues/520", "url": "https://github.com/cyd01/KiTTY/issues/520" }, { "title": "https://help.panic.com/releasenotes/transmit5/", "url": "https://help.panic.com/releasenotes/transmit5/" }, { "title": "https://nova.app/releases/%23v11.8", "url": "https://nova.app/releases/%23v11.8" }, { "title": "https://roumenpetrov.info/secsh/%23news20231220", "url": "https://roumenpetrov.info/secsh/%23news20231220" }, { "title": "https://winscp.net/eng/docs/history%236.2.2", "url": "https://winscp.net/eng/docs/history%236.2.2" }, { "title": "https://www.bitvise.com/ssh-client-version-history%23933", "url": "https://www.bitvise.com/ssh-client-version-history%23933" }, { "title": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508", "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508" }, { "title": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh" }, { "title": "https://www.vandyke.com/products/securecrt/history.txt", "url": "https://www.vandyke.com/products/securecrt/history.txt" }, { "title": "https://www.debian.org/security/2023/dsa-5588", "url": "https://www.debian.org/security/2023/dsa-5588" }, { "title": "https://github.com/ssh-mitm/ssh-mitm/issues/165", "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165" }, { "title": "https://news.ycombinator.com/item?id=38732005", "url": "https://news.ycombinator.com/item?id=38732005" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" }, { "title": "https://security.gentoo.org/glsa/202312-16", "url": "https://security.gentoo.org/glsa/202312-16" }, { "title": "https://security.gentoo.org/glsa/202312-17", "url": "https://security.gentoo.org/glsa/202312-17" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<9.3_p2-r1" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Validation of Integrity Check Value", "upgradePath": [], "version": "9.3_p2-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "cpes": [], "creationTime": "2023-12-25T14:53:44.722360Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssh` package and not the `openssh` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.\n## Remediation\nUpgrade `Alpine:3.18` `openssh` to version 9.3_p2-r1 or higher.\n## References\n- [cve@mitre.org](https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42)\n- [cve@mitre.org](https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25)\n- [cve@mitre.org](https://github.com/openssh/openssh-portable/commits/master)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/tags)\n- [cve@mitre.org](https://gitlab.com/libssh/libssh-mirror/-/tags)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ)\n- [cve@mitre.org](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/)\n- [cve@mitre.org](https://matt.ucc.asn.au/dropbear/CHANGES)\n- [cve@mitre.org](https://www.bitvise.com/ssh-server-version-history)\n- [cve@mitre.org](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html)\n- [cve@mitre.org](https://www.openssh.com/openbsd.html)\n- [cve@mitre.org](https://www.openssh.com/txt/release-9.6)\n- [cve@mitre.org](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/)\n- [cve@mitre.org](https://www.terrapin-attack.com)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [cve@mitre.org](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [cve@mitre.org](https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst)\n- [cve@mitre.org](https://github.com/warp-tech/russh/releases/tag/v0.40.2)\n- [cve@mitre.org](https://thorntech.com/cve-2023-48795-and-sftp-gateway/)\n- [cve@mitre.org](https://twitter.com/TrueSkrillor/status/1736774389725565005)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/18/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/18/3)\n- [cve@mitre.org](https://github.com/paramiko/paramiko/issues/2337)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38684904)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38685286)\n- [cve@mitre.org](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6)\n- [cve@mitre.org](https://github.com/mwiede/jsch/issues/457)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-48795)\n- [cve@mitre.org](https://bugs.gentoo.org/920280)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2254210)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1217950)\n- [cve@mitre.org](https://github.com/advisories/GHSA-45x7-px36-x8w8)\n- [cve@mitre.org](https://github.com/drakkan/sftpgo/releases/tag/v2.5.6)\n- [cve@mitre.org](https://github.com/erlang/otp/releases/tag/OTP-26.2.1)\n- [cve@mitre.org](https://github.com/mwiede/jsch/pull/461)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/CVE-2023-48795)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/libssh2)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-48795)\n- [cve@mitre.org](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/)\n- [cve@mitre.org](https://github.com/libssh2/libssh2/pull/1291)\n- [cve@mitre.org](https://forum.netgate.com/topic/184941/terrapin-ssh-attack)\n- [cve@mitre.org](https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5)\n- [cve@mitre.org](https://github.com/rapier1/hpn-ssh/releases)\n- [cve@mitre.org](https://crates.io/crates/thrussh/versions)\n- [cve@mitre.org](https://github.com/NixOS/nixpkgs/pull/275249)\n- [cve@mitre.org](https://github.com/TeraTermProject/teraterm/releases/tag/v5.1)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab)\n- [cve@mitre.org](https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22)\n- [cve@mitre.org](https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3)\n- [cve@mitre.org](https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/issues/456)\n- [cve@mitre.org](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC)\n- [cve@mitre.org](https://oryx-embedded.com/download/#changelog)\n- [cve@mitre.org](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update)\n- [cve@mitre.org](https://www.netsarang.com/en/xshell-update-history/)\n- [cve@mitre.org](https://www.paramiko.org/changelog.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/19/5)\n- [cve@mitre.org](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc)\n- [cve@mitre.org](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](https://github.com/apache/mina-sshd/issues/445)\n- [cve@mitre.org](https://github.com/hierynomus/sshj/issues/916)\n- [cve@mitre.org](https://github.com/janmojzis/tinyssh/issues/81)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES)\n- [cve@mitre.org](https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16)\n- [cve@mitre.org](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/12/20/3)\n- [cve@mitre.org](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5586)\n- [cve@mitre.org](https://filezilla-project.org/versions.php)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/issues/2189)\n- [cve@mitre.org](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta)\n- [cve@mitre.org](https://github.com/cyd01/KiTTY/issues/520)\n- [cve@mitre.org](https://help.panic.com/releasenotes/transmit5/)\n- [cve@mitre.org](https://nova.app/releases/#v11.8)\n- [cve@mitre.org](https://roumenpetrov.info/secsh/#news20231220)\n- [cve@mitre.org](https://winscp.net/eng/docs/history#6.2.2)\n- [cve@mitre.org](https://www.bitvise.com/ssh-client-version-history#933)\n- [cve@mitre.org](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508)\n- [cve@mitre.org](https://www.theregister.com/2023/12/20/terrapin_attack_ssh)\n- [cve@mitre.org](https://www.vandyke.com/products/securecrt/history.txt)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5588)\n- [cve@mitre.org](https://github.com/ssh-mitm/ssh-mitm/issues/165)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=38732005)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-16)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202312-17)\n", "disclosureTime": "2023-12-18T16:15:10.897000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.83233", "probability": "0.01153" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-28T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "9.3_p2-r1" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@*", "openssh/openssh-client-default@9.3_p2-r0" ], "id": "SNYK-ALPINE318-OPENSSH-6139287", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-354" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-12-29T01:11:20.311137Z", "name": "openssh/openssh-client-default", "nearestFixedInVersion": "9.3_p2-r1", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "openssh", "patches": [], "publicationTime": "2023-12-25T14:53:44.730576Z", "references": [ { "title": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42", "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml%23L39-L42" }, { "title": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25", "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES%23L25" }, { "title": "https://github.com/openssh/openssh-portable/commits/master", "url": "https://github.com/openssh/openssh-portable/commits/master" }, { "title": "https://github.com/ronf/asyncssh/tags", "url": "https://github.com/ronf/asyncssh/tags" }, { "title": "https://gitlab.com/libssh/libssh-mirror/-/tags", "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" }, { "title": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" }, { "title": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/" }, { "title": "https://matt.ucc.asn.au/dropbear/CHANGES", "url": "https://matt.ucc.asn.au/dropbear/CHANGES" }, { "title": "https://www.bitvise.com/ssh-server-version-history", "url": "https://www.bitvise.com/ssh-server-version-history" }, { "title": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html" }, { "title": "https://www.openssh.com/openbsd.html", "url": "https://www.openssh.com/openbsd.html" }, { "title": "https://www.openssh.com/txt/release-9.6", "url": "https://www.openssh.com/txt/release-9.6" }, { "title": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" }, { "title": "https://www.terrapin-attack.com", "url": "https://www.terrapin-attack.com" }, { "title": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst" }, { "title": "https://github.com/warp-tech/russh/releases/tag/v0.40.2", "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2" }, { "title": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/" }, { "title": "https://twitter.com/TrueSkrillor/status/1736774389725565005", "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/18/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3" }, { "title": "https://github.com/paramiko/paramiko/issues/2337", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "https://news.ycombinator.com/item?id=38684904", "url": "https://news.ycombinator.com/item?id=38684904" }, { "title": "https://news.ycombinator.com/item?id=38685286", "url": "https://news.ycombinator.com/item?id=38685286" }, { "title": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" }, { "title": "https://github.com/mwiede/jsch/issues/457", "url": "https://github.com/mwiede/jsch/issues/457" }, { "title": "https://access.redhat.com/security/cve/cve-2023-48795", "url": "https://access.redhat.com/security/cve/cve-2023-48795" }, { "title": "https://bugs.gentoo.org/920280", "url": "https://bugs.gentoo.org/920280" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1217950", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" }, { "title": "https://github.com/advisories/GHSA-45x7-px36-x8w8", "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" }, { "title": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6" }, { "title": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1" }, { "title": "https://github.com/mwiede/jsch/pull/461", "url": "https://github.com/mwiede/jsch/pull/461" }, { "title": "https://security-tracker.debian.org/tracker/CVE-2023-48795", "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" }, { "title": "https://security-tracker.debian.org/tracker/source-package/libssh2", "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" }, { "title": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" }, { "title": "https://ubuntu.com/security/CVE-2023-48795", "url": "https://ubuntu.com/security/CVE-2023-48795" }, { "title": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" }, { "title": "https://github.com/libssh2/libssh2/pull/1291", "url": "https://github.com/libssh2/libssh2/pull/1291" }, { "title": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" }, { "title": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5" }, { "title": "https://github.com/rapier1/hpn-ssh/releases", "url": "https://github.com/rapier1/hpn-ssh/releases" }, { "title": "https://crates.io/crates/thrussh/versions", "url": "https://crates.io/crates/thrussh/versions" }, { "title": "https://github.com/NixOS/nixpkgs/pull/275249", "url": "https://github.com/NixOS/nixpkgs/pull/275249" }, { "title": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1" }, { "title": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab" }, { "title": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22" }, { "title": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3" }, { "title": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15" }, { "title": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/issues/456", "url": "https://github.com/proftpd/proftpd/issues/456" }, { "title": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC" }, { "title": "https://oryx-embedded.com/download/%23changelog", "url": "https://oryx-embedded.com/download/%23changelog" }, { "title": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update" }, { "title": "https://www.netsarang.com/en/xshell-update-history/", "url": "https://www.netsarang.com/en/xshell-update-history/" }, { "title": "https://www.paramiko.org/changelog.html", "url": "https://www.paramiko.org/changelog.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/19/5", "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5" }, { "title": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" }, { "title": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "https://github.com/apache/mina-sshd/issues/445", "url": "https://github.com/apache/mina-sshd/issues/445" }, { "title": "https://github.com/hierynomus/sshj/issues/916", "url": "https://github.com/hierynomus/sshj/issues/916" }, { "title": "https://github.com/janmojzis/tinyssh/issues/81", "url": "https://github.com/janmojzis/tinyssh/issues/81" }, { "title": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES" }, { "title": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES" }, { "title": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16", "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt%23L14-L16" }, { "title": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" }, { "title": "https://www.openwall.com/lists/oss-security/2023/12/20/3", "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3" }, { "title": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" }, { "title": "https://www.debian.org/security/2023/dsa-5586", "url": "https://www.debian.org/security/2023/dsa-5586" }, { "title": "https://filezilla-project.org/versions.php", "url": "https://filezilla-project.org/versions.php" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189" }, { "title": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta" }, { "title": "https://github.com/cyd01/KiTTY/issues/520", "url": "https://github.com/cyd01/KiTTY/issues/520" }, { "title": "https://help.panic.com/releasenotes/transmit5/", "url": "https://help.panic.com/releasenotes/transmit5/" }, { "title": "https://nova.app/releases/%23v11.8", "url": "https://nova.app/releases/%23v11.8" }, { "title": "https://roumenpetrov.info/secsh/%23news20231220", "url": "https://roumenpetrov.info/secsh/%23news20231220" }, { "title": "https://winscp.net/eng/docs/history%236.2.2", "url": "https://winscp.net/eng/docs/history%236.2.2" }, { "title": "https://www.bitvise.com/ssh-client-version-history%23933", "url": "https://www.bitvise.com/ssh-client-version-history%23933" }, { "title": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508", "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise%23c243508" }, { "title": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh" }, { "title": "https://www.vandyke.com/products/securecrt/history.txt", "url": "https://www.vandyke.com/products/securecrt/history.txt" }, { "title": "https://www.debian.org/security/2023/dsa-5588", "url": "https://www.debian.org/security/2023/dsa-5588" }, { "title": "https://github.com/ssh-mitm/ssh-mitm/issues/165", "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165" }, { "title": "https://news.ycombinator.com/item?id=38732005", "url": "https://news.ycombinator.com/item?id=38732005" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" }, { "title": "https://security.gentoo.org/glsa/202312-16", "url": "https://security.gentoo.org/glsa/202312-16" }, { "title": "https://security.gentoo.org/glsa/202312-17", "url": "https://security.gentoo.org/glsa/202312-17" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<9.3_p2-r1" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Validation of Integrity Check Value", "upgradePath": [ false, "openssh/openssh-client-default@9.3_p2-r1" ], "version": "9.3_p2-r0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e@sha256:b798f2b4738c1a53aac830f20995ca2ca500145a327f59f38afe40718df1f8de/runner:a197c9e", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:a197c9e", "severityThreshold": "medium", "summary": "No known operating system vulnerabilities", "uniqueCount": 0, "vulnerabilities": [] }, "created_at": 1705137379.6959307, "has_audit_package": true }