golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
+
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.
+
Details
+
A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.
+
This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.
+
Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.
+
Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as < and > can be coded as > in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.
+
The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.
+
Types of attacks
+
There are a few methods by which XSS can be manipulated:
+
+
+
+
Type
+
Origin
+
Description
+
+
+
+
Stored
+
Server
+
The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
+
+
+
Reflected
+
Server
+
The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
+
+
+
DOM-based
+
Client
+
The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
+
+
+
Mutated
+
+
The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
+
+
+
Affected environments
+
The following environments are susceptible to an XSS attack:
+
+
Web servers
+
Application servers
+
Web application environments
+
+
How to prevent
+
This section describes the top best practices designed to specifically protect your code:
+
+
Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
+
Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
+
Give users the option to disable client-side scripts.
+
Redirect invalid requests.
+
Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
+
Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
+
Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
+
+
Remediation
+
Upgrade golang.org/x/net/html to version 0.13.0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
Introduced through:
- docker-image|quay.io/argoproj/argocd@latest and systemd/libsystemd0@249.11-0ubuntu3.9
+ docker-image|quay.io/argoproj/argocd@latest and procps/libprocps8@2:3.3.17-6ubuntu2
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
-
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
-
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
+
Note:Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04.See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
+
Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
+
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.
+
Details
+
A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.
+
This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.
+
Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.
+
Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as < and > can be coded as > in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.
+
The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.
+
Types of attacks
+
There are a few methods by which XSS can be manipulated:
+
+
+
+
Type
+
Origin
+
Description
+
+
+
+
Stored
+
Server
+
The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
+
+
+
Reflected
+
Server
+
The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
+
+
+
DOM-based
+
Client
+
The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
+
+
+
Mutated
+
+
The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
+
+
+
Affected environments
+
The following environments are susceptible to an XSS attack:
+
+
Web servers
+
Application servers
+
Web application environments
+
+
How to prevent
+
This section describes the top best practices designed to specifically protect your code:
+
+
Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
+
Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
+
Give users the option to disable client-side scripts.
+
Redirect invalid requests.
+
Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
+
Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
+
Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
+
+
Remediation
+
Upgrade golang.org/x/net/html to version 0.13.0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.5.21 and systemd/libsystemd0@249.11-0ubuntu3.9
+ docker-image|quay.io/argoproj/argocd@v2.5.21 and procps/libprocps8@2:3.3.17-6ubuntu2
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
-
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
-
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
+
Note:Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04.See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
+
Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the crypto/openpgp/clearsign/clearsign.go component. An attacker can spoof the 'Hash' Armor Header, leading a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, the attacker can prepend arbitrary text to cleartext messages without invalidating the signatures.
+
Remediation
+
Upgrade golang.org/x/crypto/openpgp/clearsign to version 0.1.0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
+
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.
+
Details
+
A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.
+
This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.
+
Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.
+
Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as < and > can be coded as > in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.
+
The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.
+
Types of attacks
+
There are a few methods by which XSS can be manipulated:
+
+
+
+
Type
+
Origin
+
Description
+
+
+
+
Stored
+
Server
+
The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
+
+
+
Reflected
+
Server
+
The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
+
+
+
DOM-based
+
Client
+
The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
+
+
+
Mutated
+
+
The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
+
+
+
Affected environments
+
The following environments are susceptible to an XSS attack:
+
+
Web servers
+
Application servers
+
Web application environments
+
+
How to prevent
+
This section describes the top best practices designed to specifically protect your code:
+
+
Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
+
Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
+
Give users the option to disable client-side scripts.
+
Redirect invalid requests.
+
Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
+
Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
+
Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
+
+
Remediation
+
Upgrade golang.org/x/net/html to version 0.13.0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.6.13 and systemd/libsystemd0@249.11-0ubuntu3.9
+ docker-image|quay.io/argoproj/argocd@v2.6.13 and procps/libprocps8@2:3.3.17-6ubuntu2
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
-
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
-
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
+
Note:Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04.See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
+
Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the crypto/openpgp/clearsign/clearsign.go component. An attacker can spoof the 'Hash' Armor Header, leading a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, the attacker can prepend arbitrary text to cleartext messages without invalidating the signatures.
+
Remediation
+
Upgrade golang.org/x/crypto/openpgp/clearsign to version 0.1.0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
diff --git a/docs/snyk/v2.7.9/argocd-iac-install.html b/docs/snyk/v2.7.10/argocd-iac-install.html
similarity index 99%
rename from docs/snyk/v2.7.9/argocd-iac-install.html
rename to docs/snyk/v2.7.10/argocd-iac-install.html
index 6112822b58ecf..6bcd9025d71e9 100644
--- a/docs/snyk/v2.7.9/argocd-iac-install.html
+++ b/docs/snyk/v2.7.10/argocd-iac-install.html
@@ -456,7 +456,7 @@
Snyk test report
-
July 30th 2023, 12:23:31 am (UTC+00:00)
+
August 6th 2023, 12:21:45 am (UTC+00:00)
Scanned the following path:
diff --git a/docs/snyk/v2.7.9/argocd-iac-namespace-install.html b/docs/snyk/v2.7.10/argocd-iac-namespace-install.html
similarity index 99%
rename from docs/snyk/v2.7.9/argocd-iac-namespace-install.html
rename to docs/snyk/v2.7.10/argocd-iac-namespace-install.html
index 48df22bad2974..1105c6962e60e 100644
--- a/docs/snyk/v2.7.9/argocd-iac-namespace-install.html
+++ b/docs/snyk/v2.7.10/argocd-iac-namespace-install.html
@@ -456,7 +456,7 @@
Snyk test report
-
July 30th 2023, 12:23:45 am (UTC+00:00)
+
August 6th 2023, 12:21:57 am (UTC+00:00)
Scanned the following path:
diff --git a/docs/snyk/v2.7.9/argocd-test.html b/docs/snyk/v2.7.10/argocd-test.html
similarity index 99%
rename from docs/snyk/v2.7.9/argocd-test.html
rename to docs/snyk/v2.7.10/argocd-test.html
index dcab0ce095774..b434910c23e84 100644
--- a/docs/snyk/v2.7.9/argocd-test.html
+++ b/docs/snyk/v2.7.10/argocd-test.html
@@ -456,7 +456,7 @@
Snyk test report
-
July 30th 2023, 12:21:29 am (UTC+00:00)
+
August 6th 2023, 12:19:44 am (UTC+00:00)
Scanned the following paths:
diff --git a/docs/snyk/v2.7.10/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.7.10/ghcr.io_dexidp_dex_v2.37.0.html
new file mode 100644
index 0000000000000..6e13ca3147f6c
--- /dev/null
+++ b/docs/snyk/v2.7.10/ghcr.io_dexidp_dex_v2.37.0.html
@@ -0,0 +1,1079 @@
+
+
+
+
+
+
+
+
+ Snyk test report
+
+
+
+
+
+
+
+
+
+
+
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: The AES-SIV cipher implementation contains a bug that causes
+ it to ignore empty associated data entries which are unauthenticated as
+ a consequence.
+
Impact summary: Applications that use the AES-SIV algorithm and want to
+ authenticate empty data entries as associated data can be mislead by removing
+ adding or reordering such empty entries as these are ignored by the OpenSSL
+ implementation. We are currently unaware of any such applications.
+
The AES-SIV algorithm allows for authentication of multiple associated
+ data entries along with the encryption. To authenticate empty data the
+ application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with
+ NULL pointer as the output buffer and 0 as the input buffer length.
+ The AES-SIV implementation in OpenSSL just returns success for such a call
+ instead of performing the associated data authentication operation.
+ The empty data thus will not be authenticated.
+
As this issue does not affect non-empty associated data authentication and
+ we expect it to be rare for an application to use empty associated data
+ entries this is qualified as Low severity issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.1-r2 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. One of those
+ checks confirms that the modulus ('p' parameter) is not too large. Trying to use
+ a very large modulus is slow and OpenSSL will not normally use a modulus which
+ is over 10,000 bits in length.
+
However the DH_check() function checks numerous aspects of the key or parameters
+ that have been supplied. Some of those checks use the supplied modulus value
+ even if it has already been found to be too large.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulernable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the '-check' option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+ The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.1-r3 or higher.
golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
+
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.
+
Details
+
A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.
+
This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.
+
Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.
+
Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as < and > can be coded as > in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.
+
The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.
+
Types of attacks
+
There are a few methods by which XSS can be manipulated:
+
+
+
+
Type
+
Origin
+
Description
+
+
+
+
Stored
+
Server
+
The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
+
+
+
Reflected
+
Server
+
The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
+
+
+
DOM-based
+
Client
+
The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
+
+
+
Mutated
+
+
The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
+
+
+
Affected environments
+
The following environments are susceptible to an XSS attack:
+
+
Web servers
+
Application servers
+
Web application environments
+
+
How to prevent
+
This section describes the top best practices designed to specifically protect your code:
+
+
Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
+
Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
+
Give users the option to disable client-side scripts.
+
Redirect invalid requests.
+
Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
+
Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
+
Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
+
+
Remediation
+
Upgrade golang.org/x/net/html to version 0.13.0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
Affected versions of this package are vulnerable to Denial of Service (DoS). A double channel close panic is possible if a peer sent back multiple pongs for every ping.
- If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and a panic would
- occur.
+
Affected versions of this package are vulnerable to Denial of Service (DoS) such that a maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
@@ -542,43 +539,45 @@
Details
Remediation
-
Upgrade nhooyr.io/websocket to version 1.8.7 or higher.
+
Upgrade golang.org/x/net/http2/hpack to version 0.7.0 or higher.
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and systemd/libsystemd0@249.11-0ubuntu3.9
+ helm.sh/helm/v3@* and golang.org/x/net/http2@v0.5.0
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
-
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Affected versions of this package are vulnerable to Denial of Service (DoS) such that a maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder.
+
Details
+
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
+
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
+
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
+
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
+
+
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
+
Upgrade golang.org/x/net/http2 to version 0.7.0 or higher.
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and systemd/libsystemd0@249.11-0ubuntu3.9
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and procps/libprocps8@2:3.3.17-6ubuntu2
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
+
Note:Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04.See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
+
Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and shadow/passwd@1:4.8.1-2ubuntu2.1
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and shadow/passwd@1:4.8.1-2ubuntu2.1
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and patch@2.7.6-7build2
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and patch@2.7.6-7build2
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and patch@2.7.6-7build2
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and patch@2.7.6-7build2
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and openssl/libssl3@3.0.2-0ubuntu1.10
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and openssl/libssl3@3.0.2-0ubuntu1.10
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and openssh/openssh-client@1:8.9p1-3ubuntu0.3
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and openssh/openssh-client@1:8.9p1-3ubuntu0.3
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and gnupg2/gpgv@2.2.27-3ubuntu2.1
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and gnupg2/gpgv@2.2.27-3ubuntu2.1
Allocation of Resources Without Limits or Throttling
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and glibc/libc-bin@2.35-0ubuntu3.1
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and glibc/libc-bin@2.35-0ubuntu3.1
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and coreutils@8.32-4.1ubuntu1
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and coreutils@8.32-4.1ubuntu1
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6 and bash@5.1-6ubuntu1
+ docker-image|quay.io/argoproj/argocd@v2.7.10 and bash@5.1-6ubuntu1
@@ -2765,7 +2421,7 @@
Detailed paths
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.8.0-rc6
+ docker-image|quay.io/argoproj/argocd@v2.7.10
›
bash@5.1-6ubuntu1
diff --git a/docs/snyk/v2.7.9/redis_7.0.11-alpine.html b/docs/snyk/v2.7.10/redis_7.0.11-alpine.html
similarity index 75%
rename from docs/snyk/v2.7.9/redis_7.0.11-alpine.html
rename to docs/snyk/v2.7.10/redis_7.0.11-alpine.html
index 2cfbf3c724cbf..dc7d6f7ecb4a1 100644
--- a/docs/snyk/v2.7.9/redis_7.0.11-alpine.html
+++ b/docs/snyk/v2.7.10/redis_7.0.11-alpine.html
@@ -7,7 +7,7 @@
Snyk test report
-
+
@@ -456,7 +456,7 @@
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
- See How to fix? for Alpine:3.18 relevant fixed versions and status.
-
Issue summary: The AES-SIV cipher implementation contains a bug that causes
- it to ignore empty associated data entries which are unauthenticated as
- a consequence.
-
Impact summary: Applications that use the AES-SIV algorithm and want to
- authenticate empty data entries as associated data can be mislead by removing
- adding or reordering such empty entries as these are ignored by the OpenSSL
- implementation. We are currently unaware of any such applications.
-
The AES-SIV algorithm allows for authentication of multiple associated
- data entries along with the encryption. To authenticate empty data the
- application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with
- NULL pointer as the output buffer and 0 as the input buffer length.
- The AES-SIV implementation in OpenSSL just returns success for such a call
- instead of performing the associated data authentication operation.
- The empty data thus will not be authenticated.
-
As this issue does not affect non-empty associated data authentication and
- we expect it to be rare for an application to use empty associated data
- entries this is qualified as Low severity issue.
-
Remediation
-
Upgrade Alpine:3.18openssl to version 3.1.1-r2 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
- See How to fix? for Alpine:3.18 relevant fixed versions and status.
-
Issue summary: Checking excessively long DH keys or parameters may be very slow.
-
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
- or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
- delays. Where the key or parameters that are being checked have been obtained
- from an untrusted source this may lead to a Denial of Service.
-
The function DH_check() performs various checks on DH parameters. One of those
- checks confirms that the modulus ('p' parameter) is not too large. Trying to use
- a very large modulus is slow and OpenSSL will not normally use a modulus which
- is over 10,000 bits in length.
-
However the DH_check() function checks numerous aspects of the key or parameters
- that have been supplied. Some of those checks use the supplied modulus value
- even if it has already been found to be too large.
-
An application that calls DH_check() and supplies a key or parameters obtained
- from an untrusted source could be vulernable to a Denial of Service attack.
-
The function DH_check() is itself called by a number of other OpenSSL functions.
- An application calling any of those other functions may similarly be affected.
- The other functions affected by this are DH_check_ex() and
- EVP_PKEY_param_check().
-
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
- when using the '-check' option.
-
The OpenSSL SSL/TLS implementation is not affected by this issue.
- The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
-
Remediation
-
Upgrade Alpine:3.18openssl to version 3.1.1-r3 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
- See How to fix? for Alpine:3.18 relevant fixed versions and status.
-
Issue summary: The AES-SIV cipher implementation contains a bug that causes
- it to ignore empty associated data entries which are unauthenticated as
- a consequence.
-
Impact summary: Applications that use the AES-SIV algorithm and want to
- authenticate empty data entries as associated data can be mislead by removing
- adding or reordering such empty entries as these are ignored by the OpenSSL
- implementation. We are currently unaware of any such applications.
-
The AES-SIV algorithm allows for authentication of multiple associated
- data entries along with the encryption. To authenticate empty data the
- application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with
- NULL pointer as the output buffer and 0 as the input buffer length.
- The AES-SIV implementation in OpenSSL just returns success for such a call
- instead of performing the associated data authentication operation.
- The empty data thus will not be authenticated.
-
As this issue does not affect non-empty associated data authentication and
- we expect it to be rare for an application to use empty associated data
- entries this is qualified as Low severity issue.
-
Remediation
-
Upgrade Alpine:3.18openssl to version 3.1.1-r2 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
- See How to fix? for Alpine:3.18 relevant fixed versions and status.
-
Issue summary: Checking excessively long DH keys or parameters may be very slow.
-
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
- or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
- delays. Where the key or parameters that are being checked have been obtained
- from an untrusted source this may lead to a Denial of Service.
-
The function DH_check() performs various checks on DH parameters. One of those
- checks confirms that the modulus ('p' parameter) is not too large. Trying to use
- a very large modulus is slow and OpenSSL will not normally use a modulus which
- is over 10,000 bits in length.
-
However the DH_check() function checks numerous aspects of the key or parameters
- that have been supplied. Some of those checks use the supplied modulus value
- even if it has already been found to be too large.
-
An application that calls DH_check() and supplies a key or parameters obtained
- from an untrusted source could be vulernable to a Denial of Service attack.
-
The function DH_check() is itself called by a number of other OpenSSL functions.
- An application calling any of those other functions may similarly be affected.
- The other functions affected by this are DH_check_ex() and
- EVP_PKEY_param_check().
-
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
- when using the '-check' option.
-
The OpenSSL SSL/TLS implementation is not affected by this issue.
- The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
-
Remediation
-
Upgrade Alpine:3.18openssl to version 3.1.1-r3 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: The AES-SIV cipher implementation contains a bug that causes
+ it to ignore empty associated data entries which are unauthenticated as
+ a consequence.
+
Impact summary: Applications that use the AES-SIV algorithm and want to
+ authenticate empty data entries as associated data can be mislead by removing
+ adding or reordering such empty entries as these are ignored by the OpenSSL
+ implementation. We are currently unaware of any such applications.
+
The AES-SIV algorithm allows for authentication of multiple associated
+ data entries along with the encryption. To authenticate empty data the
+ application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with
+ NULL pointer as the output buffer and 0 as the input buffer length.
+ The AES-SIV implementation in OpenSSL just returns success for such a call
+ instead of performing the associated data authentication operation.
+ The empty data thus will not be authenticated.
+
As this issue does not affect non-empty associated data authentication and
+ we expect it to be rare for an application to use empty associated data
+ entries this is qualified as Low severity issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.1-r2 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. One of those
+ checks confirms that the modulus ('p' parameter) is not too large. Trying to use
+ a very large modulus is slow and OpenSSL will not normally use a modulus which
+ is over 10,000 bits in length.
+
However the DH_check() function checks numerous aspects of the key or parameters
+ that have been supplied. Some of those checks use the supplied modulus value
+ even if it has already been found to be too large.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulernable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the '-check' option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+ The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.1-r3 or higher.
golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
+
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.
+
Details
+
A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.
+
This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.
+
Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.
+
Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as < and > can be coded as > in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.
+
The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.
+
Types of attacks
+
There are a few methods by which XSS can be manipulated:
+
+
+
+
Type
+
Origin
+
Description
+
+
+
+
Stored
+
Server
+
The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
+
+
+
Reflected
+
Server
+
The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
+
+
+
DOM-based
+
Client
+
The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
+
+
+
Mutated
+
+
The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
+
+
+
Affected environments
+
The following environments are susceptible to an XSS attack:
+
+
Web servers
+
Application servers
+
Web application environments
+
+
How to prevent
+
This section describes the top best practices designed to specifically protect your code:
+
+
Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
+
Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
+
Give users the option to disable client-side scripts.
+
Redirect invalid requests.
+
Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
+
Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
+
Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
+
+
Remediation
+
Upgrade golang.org/x/net/html to version 0.13.0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.
Affected versions of this package are vulnerable to Denial of Service (DoS) such that a maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder.
Affected versions of this package are vulnerable to Denial of Service (DoS). A double channel close panic is possible if a peer sent back multiple pongs for every ping.
+ If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and a panic would
+ occur.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
@@ -539,274 +542,22 @@
Details
Remediation
-
Upgrade golang.org/x/net/http2/hpack to version 0.7.0 or higher.
+
Upgrade nhooyr.io/websocket to version 1.8.7 or higher.
Affected versions of this package are vulnerable to Denial of Service (DoS) such that a maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder.
-
Details
-
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
-
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
-
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
-
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
-
Two common types of DoS vulnerabilities:
-
-
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
-
-
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package
-
-
-
Remediation
-
Upgrade golang.org/x/net/http2 to version 0.7.0 or higher.
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
-
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and systemd/libsystemd0@249.11-0ubuntu3.9
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and procps/libprocps8@2:3.3.17-6ubuntu2
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
-
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Note:Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
-
Remediation
-
There is no fixed version for Ubuntu:22.04systemd.
Note:Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu:22.04.
+
Note:Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04.See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
+
Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.
Remediation
-
Upgrade Ubuntu:22.04openssh to version 1:8.9p1-3ubuntu0.3 or higher.
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and shadow/passwd@1:4.8.1-2ubuntu2.1
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and shadow/passwd@1:4.8.1-2ubuntu2.1
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and patch@2.7.6-7build2
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and patch@2.7.6-7build2
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and patch@2.7.6-7build2
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and patch@2.7.6-7build2
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and openssl/libssl3@3.0.2-0ubuntu1.10
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and openssl/libssl3@3.0.2-0ubuntu1.10
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and openssh/openssh-client@1:8.9p1-3ubuntu0.1
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and openssh/openssh-client@1:8.9p1-3ubuntu0.3
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and gnupg2/gpgv@2.2.27-3ubuntu2.1
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and gnupg2/gpgv@2.2.27-3ubuntu2.1
Allocation of Resources Without Limits or Throttling
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and glibc/libc-bin@2.35-0ubuntu3.1
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and glibc/libc-bin@2.35-0ubuntu3.1
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and coreutils@8.32-4.1ubuntu1
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and coreutils@8.32-4.1ubuntu1
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9 and bash@5.1-6ubuntu1
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and bash@5.1-6ubuntu1
@@ -2924,7 +2342,7 @@
Detailed paths
Introduced through:
- docker-image|quay.io/argoproj/argocd@v2.7.9
+ docker-image|quay.io/argoproj/argocd@v2.8.0-rc7
›
bash@5.1-6ubuntu1
diff --git a/docs/snyk/v2.8.0-rc6/redis_7.0.11-alpine.html b/docs/snyk/v2.8.0-rc7/redis_7.0.11-alpine.html
similarity index 75%
rename from docs/snyk/v2.8.0-rc6/redis_7.0.11-alpine.html
rename to docs/snyk/v2.8.0-rc7/redis_7.0.11-alpine.html
index df0c944b6ad3b..609f13a881840 100644
--- a/docs/snyk/v2.8.0-rc6/redis_7.0.11-alpine.html
+++ b/docs/snyk/v2.8.0-rc7/redis_7.0.11-alpine.html
@@ -7,7 +7,7 @@
Snyk test report
-
+
@@ -456,7 +456,7 @@
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Checking excessively long DH keys or parameters may be very slow.
+
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
+ or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
+ delays. Where the key or parameters that are being checked have been obtained
+ from an untrusted source this may lead to a Denial of Service.
+
The function DH_check() performs various checks on DH parameters. After fixing
+ CVE-2023-3446 it was discovered that a large q parameter value can also trigger
+ an overly long computation during some of these checks. A correct q value,
+ if present, cannot be larger than the modulus p parameter, thus it is
+ unnecessary to perform these checks if q is larger than p.
+
An application that calls DH_check() and supplies a key or parameters obtained
+ from an untrusted source could be vulnerable to a Denial of Service attack.
+
The function DH_check() is itself called by a number of other OpenSSL functions.
+ An application calling any of those other functions may similarly be affected.
+ The other functions affected by this are DH_check_ex() and
+ EVP_PKEY_param_check().
+
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
+ when using the "-check" option.
+
The OpenSSL SSL/TLS implementation is not affected by this issue.
+
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.2-r0 or higher.