cyber-dojo
flows
web-archived-at-1709658792
artifacts
eaacf219c03843fa1274149ae452502e1945fbeda0df926f91f205007de06639
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
web-archived-at-1709658792
UX for practicing TDD
cyberdojo/web:a1a005d
Non-compliant
Download Evidence Package
JSON
{ "created_at": 1706958960.2372503, "fingerprint": "eaacf219c03843fa1274149ae452502e1945fbeda0df926f91f205007de06639", "filename": "cyberdojo/web:a1a005d", "git_commit": "a1a005dea9c86e04f80a66a82cec4fcce9671d67", "build_url": "https://github.com/cyber-dojo/web/actions/runs/7766502744", "commit_url": "https://github.com/cyber-dojo/web/commit/a1a005dea9c86e04f80a66a82cec4fcce9671d67", "evidence": { "snyk-scan": { "evidence_type": "snyk", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/7853942406", "evidence_archive_fingerprint": "eda75a3b77885e33ca45e7ad6587267e2a07b4a7d8997e159b60c1c93e7638e9", "user_data": {}, "snyk_results": { "dependencyCount": 53, "docker": { "baseImage": "alpine:3.19.0", "baseImageRemediation": { "advice": [ { "message": "Base Image Vulnerabilities Severity\nalpine:3.19.0 3 0 critical, 0 high, 2 medium, 1 low\n" }, { "bold": true, "message": "Recommendations for base image upgrade:\n" }, { "bold": true, "message": "Minor upgrades" }, { "message": "Base Image Vulnerabilities Severity\nalpine:3.19.1 0 0 critical, 0 high, 0 medium, 0 low\n" } ], "code": "REMEDIATION_AVAILABLE" }, "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d@sha256:eaacf219c03843fa1274149ae452502e1945fbeda0df926f91f205007de06639/web:a1a005d", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d", "severityThreshold": "medium", "summary": "4 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 2, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:12.499698Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:34.460600Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:37.934083Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://cwe.mitre.org/data/definitions/776.html)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/777)\n", "disclosureTime": "2024-02-04T20:15:46.120000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.16953", "probability": "0.00051" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d@*", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241037", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52426" ], "CWE": [ "CWE-776" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:12.503964Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "medium", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:12.503844Z", "references": [ { "title": "https://cwe.mitre.org/data/definitions/776.html", "url": "https://cwe.mitre.org/data/definitions/776.html" }, { "title": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404", "url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404" }, { "title": "https://github.com/libexpat/libexpat/pull/777", "url": "https://github.com/libexpat/libexpat/pull/777" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "upgradePath": [ false, "expat/libexpat@2.6.0-r0" ], "version": "2.5.0-r2" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:17.064169Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:33.167998Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:36.880020Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/789)\n", "disclosureTime": "2024-02-04T20:15:46.063000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10104", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d@*", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241038", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52425" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:17.068136Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:17.068015Z", "references": [ { "title": "https://github.com/libexpat/libexpat/pull/789", "url": "https://github.com/libexpat/libexpat/pull/789" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [ false, "expat/libexpat@2.6.0-r0" ], "version": "2.5.0-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:12.499698Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:34.460600Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:37.934083Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://cwe.mitre.org/data/definitions/776.html)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/777)\n", "disclosureTime": "2024-02-04T20:15:46.120000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.16953", "probability": "0.00051" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d@*", "git/git@2.43.0-r0", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241037", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52426" ], "CWE": [ "CWE-776" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:12.503964Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "medium", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:12.503844Z", "references": [ { "title": "https://cwe.mitre.org/data/definitions/776.html", "url": "https://cwe.mitre.org/data/definitions/776.html" }, { "title": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404", "url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404" }, { "title": "https://github.com/libexpat/libexpat/pull/777", "url": "https://github.com/libexpat/libexpat/pull/777" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "upgradePath": [], "version": "2.5.0-r2" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:17.064169Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:33.167998Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:36.880020Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/789)\n", "disclosureTime": "2024-02-04T20:15:46.063000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10104", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d@*", "git/git@2.43.0-r0", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241038", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52425" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:17.068136Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:17.068015Z", "references": [ { "title": "https://github.com/libexpat/libexpat/pull/789", "url": "https://github.com/libexpat/libexpat/pull/789" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [], "version": "2.5.0-r2" } ] }, "created_at": 1707556552.2945533, "has_audit_package": true } }, "reported_by": "ci-pipelines", "git_commit_info": { "sha1": "a1a005dea9c86e04f80a66a82cec4fcce9671d67", "message": "Force ci run so beta/prod aws environment are running same image", "author": "JonJagger <jon@kosli.com>", "timestamp": 1706958889, "branch": "main" }, "repo_url": "https://github.com/cyber-dojo/web", "template": [ "artifact", "snyk-scan" ], "last_modified_at": 1707556552.2945533, "deployments": [ 131, 130 ], "state": "NON-COMPLIANT", "html_url": "https://app.kosli.com/cyber-dojo/flows/web-archived-at-1709658792/artifacts/eaacf219c03843fa1274149ae452502e1945fbeda0df926f91f205007de06639", "api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/web-archived-at-1709658792/fingerprint/eaacf219c03843fa1274149ae452502e1945fbeda0df926f91f205007de06639" }
Artifact Information |
|
Name | cyberdojo/web:a1a005d |
Fingerprint | eaacf219c03843fa1274149ae452502e1945fbeda0df926f91f205007de06639 |
Git commit |
a1a005d
JonJagger <jon@kosli.com> (main)
1706958889.0 • 3 months ago
Force ci run so beta/prod aws environment are running same image
|
CI Build | https://github.com/cyber-dojo/web/actions/runs/7766502744 |
Running | - |
Exited | aws-beta#3005 aws-prod#2132 |
Last modified | 1707556552.2945533 • 2 months ago |
Approvals
None |
Evidence
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/7853942406", "evidence_archive_fingerprint": "eda75a3b77885e33ca45e7ad6587267e2a07b4a7d8997e159b60c1c93e7638e9", "user_data": {}, "snyk_results": { "dependencyCount": 53, "docker": { "baseImage": "alpine:3.19.0", "baseImageRemediation": { "advice": [ { "message": "Base Image Vulnerabilities Severity\nalpine:3.19.0 3 0 critical, 0 high, 2 medium, 1 low\n" }, { "bold": true, "message": "Recommendations for base image upgrade:\n" }, { "bold": true, "message": "Minor upgrades" }, { "message": "Base Image Vulnerabilities Severity\nalpine:3.19.1 0 0 critical, 0 high, 0 medium, 0 low\n" } ], "code": "REMEDIATION_AVAILABLE" }, "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d@sha256:eaacf219c03843fa1274149ae452502e1945fbeda0df926f91f205007de06639/web:a1a005d", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d", "severityThreshold": "medium", "summary": "4 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 2, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:12.499698Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:34.460600Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:37.934083Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://cwe.mitre.org/data/definitions/776.html)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/777)\n", "disclosureTime": "2024-02-04T20:15:46.120000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.16953", "probability": "0.00051" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d@*", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241037", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52426" ], "CWE": [ "CWE-776" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:12.503964Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "medium", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:12.503844Z", "references": [ { "title": "https://cwe.mitre.org/data/definitions/776.html", "url": "https://cwe.mitre.org/data/definitions/776.html" }, { "title": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404", "url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404" }, { "title": "https://github.com/libexpat/libexpat/pull/777", "url": "https://github.com/libexpat/libexpat/pull/777" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "upgradePath": [ false, "expat/libexpat@2.6.0-r0" ], "version": "2.5.0-r2" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:17.064169Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:33.167998Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:36.880020Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/789)\n", "disclosureTime": "2024-02-04T20:15:46.063000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10104", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d@*", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241038", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52425" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:17.068136Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:17.068015Z", "references": [ { "title": "https://github.com/libexpat/libexpat/pull/789", "url": "https://github.com/libexpat/libexpat/pull/789" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [ false, "expat/libexpat@2.6.0-r0" ], "version": "2.5.0-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:12.499698Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:34.460600Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:37.934083Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://cwe.mitre.org/data/definitions/776.html)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/777)\n", "disclosureTime": "2024-02-04T20:15:46.120000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.16953", "probability": "0.00051" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d@*", "git/git@2.43.0-r0", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241037", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52426" ], "CWE": [ "CWE-776" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:12.503964Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "medium", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:12.503844Z", "references": [ { "title": "https://cwe.mitre.org/data/definitions/776.html", "url": "https://cwe.mitre.org/data/definitions/776.html" }, { "title": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404", "url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404" }, { "title": "https://github.com/libexpat/libexpat/pull/777", "url": "https://github.com/libexpat/libexpat/pull/777" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "upgradePath": [], "version": "2.5.0-r2" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:17.064169Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:33.167998Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:36.880020Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/789)\n", "disclosureTime": "2024-02-04T20:15:46.063000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10104", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a1a005d@*", "git/git@2.43.0-r0", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241038", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52425" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:17.068136Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:17.068015Z", "references": [ { "title": "https://github.com/libexpat/libexpat/pull/789", "url": "https://github.com/libexpat/libexpat/pull/789" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [], "version": "2.5.0-r2" } ] }, "created_at": 1707556552.2945533, "has_audit_package": true }