diff --git a/docs/snyk/index.md b/docs/snyk/index.md index 386f930c6ac2c..3b38f8d119dc9 100644 --- a/docs/snyk/index.md +++ b/docs/snyk/index.md @@ -13,12 +13,12 @@ recent minor releases. | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](master/argocd-test.html) | 0 | 1 | 0 | 0 | +| [go.mod](master/argocd-test.html) | 0 | 0 | 0 | 0 | | [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 0 | 0 | -| [dex:v2.37.0](master/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 2 | 1 | -| [haproxy:2.6.14-alpine](master/haproxy_2.6.14-alpine.html) | 0 | 0 | 2 | 1 | -| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 1 | 15 | -| [redis:7.0.11-alpine](master/redis_7.0.11-alpine.html) | 0 | 0 | 2 | 1 | +| [dex:v2.37.0](master/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 3 | 0 | +| [haproxy:2.6.14-alpine](master/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 | +| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 2 | 15 | +| [redis:7.0.11-alpine](master/redis_7.0.11-alpine.html) | 0 | 0 | 3 | 0 | | [install.yaml](master/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - | @@ -28,48 +28,48 @@ recent minor releases. |---:|:--------:|:----:|:------:|:---:| | [go.mod](v2.8.0-rc7/argocd-test.html) | 0 | 1 | 0 | 0 | | [ui/yarn.lock](v2.8.0-rc7/argocd-test.html) | 0 | 0 | 0 | 0 | -| [dex:v2.37.0](v2.8.0-rc7/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 2 | 1 | -| [haproxy:2.6.14-alpine](v2.8.0-rc7/haproxy_2.6.14-alpine.html) | 0 | 0 | 2 | 1 | -| [argocd:v2.8.0-rc7](v2.8.0-rc7/quay.io_argoproj_argocd_v2.8.0-rc7.html) | 0 | 0 | 1 | 15 | -| [redis:7.0.11-alpine](v2.8.0-rc7/redis_7.0.11-alpine.html) | 0 | 0 | 2 | 1 | +| [dex:v2.37.0](v2.8.0-rc7/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 3 | 0 | +| [haproxy:2.6.14-alpine](v2.8.0-rc7/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 | +| [argocd:v2.8.0-rc7](v2.8.0-rc7/quay.io_argoproj_argocd_v2.8.0-rc7.html) | 0 | 0 | 2 | 15 | +| [redis:7.0.11-alpine](v2.8.0-rc7/redis_7.0.11-alpine.html) | 0 | 0 | 3 | 0 | | [install.yaml](v2.8.0-rc7/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.8.0-rc7/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.7.10 +### v2.7.11 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.7.10/argocd-test.html) | 0 | 0 | 0 | 0 | -| [ui/yarn.lock](v2.7.10/argocd-test.html) | 0 | 1 | 0 | 0 | -| [dex:v2.37.0](v2.7.10/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 2 | 1 | -| [haproxy:2.6.14-alpine](v2.7.10/haproxy_2.6.14-alpine.html) | 0 | 0 | 2 | 1 | -| [argocd:v2.7.10](v2.7.10/quay.io_argoproj_argocd_v2.7.10.html) | 0 | 0 | 1 | 15 | -| [redis:7.0.11-alpine](v2.7.10/redis_7.0.11-alpine.html) | 0 | 0 | 2 | 1 | -| [install.yaml](v2.7.10/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.7.10/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.7.11/argocd-test.html) | 0 | 0 | 0 | 0 | +| [ui/yarn.lock](v2.7.11/argocd-test.html) | 0 | 1 | 0 | 0 | +| [dex:v2.37.0](v2.7.11/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 3 | 0 | +| [haproxy:2.6.14-alpine](v2.7.11/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 | +| [argocd:v2.7.11](v2.7.11/quay.io_argoproj_argocd_v2.7.11.html) | 0 | 0 | 2 | 15 | +| [redis:7.0.11-alpine](v2.7.11/redis_7.0.11-alpine.html) | 0 | 0 | 3 | 0 | +| [install.yaml](v2.7.11/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.7.11/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.6.13 +### v2.6.14 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.6.13/argocd-test.html) | 0 | 0 | 0 | 0 | -| [ui/yarn.lock](v2.6.13/argocd-test.html) | 0 | 1 | 0 | 0 | -| [dex:v2.37.0](v2.6.13/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 2 | 1 | -| [haproxy:2.6.14-alpine](v2.6.13/haproxy_2.6.14-alpine.html) | 0 | 0 | 2 | 1 | -| [argocd:v2.6.13](v2.6.13/quay.io_argoproj_argocd_v2.6.13.html) | 0 | 0 | 2 | 15 | -| [redis:7.0.11-alpine](v2.6.13/redis_7.0.11-alpine.html) | 0 | 0 | 2 | 1 | -| [install.yaml](v2.6.13/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.6.13/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.6.14/argocd-test.html) | 0 | 0 | 0 | 0 | +| [ui/yarn.lock](v2.6.14/argocd-test.html) | 0 | 1 | 0 | 0 | +| [dex:v2.37.0](v2.6.14/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 3 | 0 | +| [haproxy:2.6.14-alpine](v2.6.14/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 | +| [argocd:v2.6.14](v2.6.14/quay.io_argoproj_argocd_v2.6.14.html) | 0 | 0 | 2 | 15 | +| [redis:7.0.11-alpine](v2.6.14/redis_7.0.11-alpine.html) | 0 | 0 | 3 | 0 | +| [install.yaml](v2.6.14/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.6.14/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.5.21 +### v2.5.22 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.5.21/argocd-test.html) | 0 | 0 | 2 | 0 | -| [ui/yarn.lock](v2.5.21/argocd-test.html) | 0 | 1 | 4 | 0 | -| [dex:v2.37.0](v2.5.21/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 2 | 1 | -| [haproxy:2.6.14-alpine](v2.5.21/haproxy_2.6.14-alpine.html) | 0 | 0 | 2 | 1 | -| [argocd:v2.5.21](v2.5.21/quay.io_argoproj_argocd_v2.5.21.html) | 0 | 0 | 2 | 15 | -| [redis:7.0.11-alpine](v2.5.21/redis_7.0.11-alpine.html) | 0 | 0 | 2 | 1 | -| [install.yaml](v2.5.21/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.5.21/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.5.22/argocd-test.html) | 0 | 0 | 2 | 0 | +| [ui/yarn.lock](v2.5.22/argocd-test.html) | 0 | 1 | 4 | 0 | +| [dex:v2.37.0](v2.5.22/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 3 | 0 | +| [haproxy:2.6.14-alpine](v2.5.22/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 | +| [argocd:v2.5.22](v2.5.22/quay.io_argoproj_argocd_v2.5.22.html) | 0 | 0 | 2 | 15 | +| [redis:7.0.11-alpine](v2.5.22/redis_7.0.11-alpine.html) | 0 | 0 | 3 | 0 | +| [install.yaml](v2.5.22/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.5.22/argocd-iac-namespace-install.html) | - | - | - | - | diff --git a/docs/snyk/master/argocd-iac-install.html b/docs/snyk/master/argocd-iac-install.html index e09c623374e61..28eeb9c116c57 100644 --- a/docs/snyk/master/argocd-iac-install.html +++ b/docs/snyk/master/argocd-iac-install.html @@ -456,7 +456,7 @@

Snyk test report

-

August 6th 2023, 12:16:29 am (UTC+00:00)

+

August 13th 2023, 12:16:02 am (UTC+00:00)

Scanned the following path: @@ -507,7 +507,7 @@

Role with dangerous permissions

  • - Line number: 18472 + Line number: 18478
    • @@ -553,7 +553,7 @@

    Role with dangerous permissions

  • - Line number: 18549 + Line number: 18555
    • @@ -599,7 +599,7 @@

    Role with dangerous permissions

  • - Line number: 18577 + Line number: 18583
    • @@ -645,7 +645,7 @@

    Role with dangerous permissions

  • - Line number: 18625 + Line number: 18631
    • @@ -691,7 +691,7 @@

    Role with dangerous permissions

  • - Line number: 18607 + Line number: 18613
    • @@ -737,7 +737,7 @@

    Role with dangerous permissions

  • - Line number: 18641 + Line number: 18647
    • @@ -789,7 +789,7 @@

    Container could be running with outdated image

  • - Line number: 19737 + Line number: 19744
    • @@ -847,7 +847,7 @@

    Container has no CPU limit

  • - Line number: 19112 + Line number: 19119
    • @@ -905,7 +905,7 @@

    Container has no CPU limit

  • - Line number: 19345 + Line number: 19352
    • @@ -963,7 +963,7 @@

    Container has no CPU limit

  • - Line number: 19311 + Line number: 19318
    • @@ -1021,7 +1021,7 @@

    Container has no CPU limit

  • - Line number: 19405 + Line number: 19412
    • @@ -1079,7 +1079,7 @@

    Container has no CPU limit

  • - Line number: 19492 + Line number: 19499
    • @@ -1137,7 +1137,7 @@

    Container has no CPU limit

  • - Line number: 19737 + Line number: 19744
    • @@ -1195,7 +1195,7 @@

    Container has no CPU limit

  • - Line number: 19549 + Line number: 19556
    • @@ -1253,7 +1253,7 @@

    Container has no CPU limit

  • - Line number: 19822 + Line number: 19829
    • @@ -1311,7 +1311,7 @@

    Container has no CPU limit

  • - Line number: 20138 + Line number: 20145
    • @@ -1363,7 +1363,7 @@

    Container is running with multiple open ports

  • - Line number: 19325 + Line number: 19332
    • @@ -1415,7 +1415,7 @@

    Container is running without liveness probe

  • - Line number: 19112 + Line number: 19119
    • @@ -1467,7 +1467,7 @@

    Container is running without liveness probe

  • - Line number: 19311 + Line number: 19318
    • @@ -1519,7 +1519,7 @@

    Container is running without liveness probe

  • - Line number: 19345 + Line number: 19352
    • @@ -1571,7 +1571,7 @@

    Container is running without liveness probe

  • - Line number: 19492 + Line number: 19499
    • @@ -1623,7 +1623,7 @@

    Container is running without liveness probe

  • - Line number: 19737 + Line number: 19744
    • @@ -1681,7 +1681,7 @@

    Container is running without memory limit

  • - Line number: 19112 + Line number: 19119
    • @@ -1739,7 +1739,7 @@

    Container is running without memory limit

  • - Line number: 19311 + Line number: 19318
    • @@ -1797,7 +1797,7 @@

    Container is running without memory limit

  • - Line number: 19345 + Line number: 19352
    • @@ -1855,7 +1855,7 @@

    Container is running without memory limit

  • - Line number: 19405 + Line number: 19412
    • @@ -1913,7 +1913,7 @@

    Container is running without memory limit

  • - Line number: 19492 + Line number: 19499
    • @@ -1971,7 +1971,7 @@

    Container is running without memory limit

  • - Line number: 19737 + Line number: 19744
    • @@ -2029,7 +2029,7 @@

    Container is running without memory limit

  • - Line number: 19549 + Line number: 19556
    • @@ -2087,7 +2087,7 @@

    Container is running without memory limit

  • - Line number: 19822 + Line number: 19829
    • @@ -2145,7 +2145,7 @@

    Container is running without memory limit

  • - Line number: 20138 + Line number: 20145
    • @@ -2201,7 +2201,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19235 + Line number: 19242
    • @@ -2257,7 +2257,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19353 + Line number: 19360
    • @@ -2313,7 +2313,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19328 + Line number: 19335
    • @@ -2369,7 +2369,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19426 + Line number: 19433
    • @@ -2425,7 +2425,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19502 + Line number: 19509
    • @@ -2481,7 +2481,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19744 + Line number: 19751
    • @@ -2537,7 +2537,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19710 + Line number: 19717
    • @@ -2593,7 +2593,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 20048 + Line number: 20055
    • @@ -2649,7 +2649,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 20286 + Line number: 20293
    • diff --git a/docs/snyk/master/argocd-iac-namespace-install.html b/docs/snyk/master/argocd-iac-namespace-install.html index 8681140fe63db..39cbb14b7d533 100644 --- a/docs/snyk/master/argocd-iac-namespace-install.html +++ b/docs/snyk/master/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:16:42 am (UTC+00:00)

    +

    August 13th 2023, 12:16:14 am (UTC+00:00)

    Scanned the following path: @@ -789,7 +789,7 @@

    Container could be running with outdated image

  • - Line number: 1249 + Line number: 1250
    • @@ -847,7 +847,7 @@

    Container has no CPU limit

  • - Line number: 624 + Line number: 625
    • @@ -905,7 +905,7 @@

    Container has no CPU limit

  • - Line number: 857 + Line number: 858
    • @@ -963,7 +963,7 @@

    Container has no CPU limit

  • - Line number: 823 + Line number: 824
    • @@ -1021,7 +1021,7 @@

    Container has no CPU limit

  • - Line number: 917 + Line number: 918
    • @@ -1079,7 +1079,7 @@

    Container has no CPU limit

  • - Line number: 1004 + Line number: 1005
    • @@ -1137,7 +1137,7 @@

    Container has no CPU limit

  • - Line number: 1249 + Line number: 1250
    • @@ -1195,7 +1195,7 @@

    Container has no CPU limit

  • - Line number: 1061 + Line number: 1062
    • @@ -1253,7 +1253,7 @@

    Container has no CPU limit

  • - Line number: 1334 + Line number: 1335
    • @@ -1311,7 +1311,7 @@

    Container has no CPU limit

  • - Line number: 1650 + Line number: 1651
    • @@ -1363,7 +1363,7 @@

    Container is running with multiple open ports

  • - Line number: 837 + Line number: 838
    • @@ -1415,7 +1415,7 @@

    Container is running without liveness probe

  • - Line number: 624 + Line number: 625
    • @@ -1467,7 +1467,7 @@

    Container is running without liveness probe

  • - Line number: 823 + Line number: 824
    • @@ -1519,7 +1519,7 @@

    Container is running without liveness probe

  • - Line number: 857 + Line number: 858
    • @@ -1571,7 +1571,7 @@

    Container is running without liveness probe

  • - Line number: 1004 + Line number: 1005
    • @@ -1623,7 +1623,7 @@

    Container is running without liveness probe

  • - Line number: 1249 + Line number: 1250
    • @@ -1681,7 +1681,7 @@

    Container is running without memory limit

  • - Line number: 624 + Line number: 625
    • @@ -1739,7 +1739,7 @@

    Container is running without memory limit

  • - Line number: 823 + Line number: 824
    • @@ -1797,7 +1797,7 @@

    Container is running without memory limit

  • - Line number: 857 + Line number: 858
    • @@ -1855,7 +1855,7 @@

    Container is running without memory limit

  • - Line number: 917 + Line number: 918
    • @@ -1913,7 +1913,7 @@

    Container is running without memory limit

  • - Line number: 1004 + Line number: 1005
    • @@ -1971,7 +1971,7 @@

    Container is running without memory limit

  • - Line number: 1249 + Line number: 1250
    • @@ -2029,7 +2029,7 @@

    Container is running without memory limit

  • - Line number: 1061 + Line number: 1062
    • @@ -2087,7 +2087,7 @@

    Container is running without memory limit

  • - Line number: 1334 + Line number: 1335
    • @@ -2145,7 +2145,7 @@

    Container is running without memory limit

  • - Line number: 1650 + Line number: 1651
    • @@ -2201,7 +2201,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 747 + Line number: 748
    • @@ -2257,7 +2257,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 865 + Line number: 866
    • @@ -2313,7 +2313,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 840 + Line number: 841
    • @@ -2369,7 +2369,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 938 + Line number: 939
    • @@ -2425,7 +2425,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1014 + Line number: 1015
    • @@ -2481,7 +2481,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1256 + Line number: 1257
    • @@ -2537,7 +2537,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1222 + Line number: 1223
    • @@ -2593,7 +2593,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1560 + Line number: 1561
    • @@ -2649,7 +2649,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1798 + Line number: 1799
    • diff --git a/docs/snyk/master/argocd-test.html b/docs/snyk/master/argocd-test.html index c81da2fd13242..e32fc44b0f52e 100644 --- a/docs/snyk/master/argocd-test.html +++ b/docs/snyk/master/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:14:07 am (UTC+00:00)

    +

    August 13th 2023, 12:13:27 am (UTC+00:00)

    Scanned the following paths: @@ -466,99 +466,16 @@

    Snyk test report

    -
    1 known vulnerabilities
    -
    1 vulnerable dependency paths
    -
    1859 dependencies
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    +
    1860 dependencies

    -
    -
    -

    Denial of Service (DoS)

    -
    - -
    - high severity -
    - -
    - -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - nhooyr.io/websocket -
      • - -
    • Introduced through: - - - github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 - - nhooyr.io/websocket@1.8.6 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    nhooyr.io/websocket is a minimal and idiomatic WebSocket library for Go.

    -

    Affected versions of this package are vulnerable to Denial of Service (DoS). A double channel close panic is possible if a peer sent back multiple pongs for every ping. - If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and a panic would - occur.

    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade nhooyr.io/websocket to version 1.8.7 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/docs/snyk/master/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/master/ghcr.io_dexidp_dex_v2.37.0.html index e4081cb340c45..75bf683f2f592 100644 --- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:14:19 am (UTC+00:00)

    +

    August 13th 2023, 12:13:40 am (UTC+00:00)

    Scanned the following paths: @@ -792,7 +792,7 @@

    References

    -

    Cross-site Scripting (XSS)

    +

    Excessive Iteration

    @@ -801,129 +801,6 @@

    Cross-site Scripting (XSS)

    -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/html -
      • - -
    • Introduced through: - - github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/dexidp/dex@* - - golang.org/x/net/html@v0.11.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    -

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    -

    Details

    -

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    -

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    -

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    -

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    -

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    -

    Types of attacks

    -

    There are a few methods by which XSS can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    -

    Affected environments

    -

    The following environments are susceptible to an XSS attack:

    - -

    How to prevent

    -

    This section describes the top best practices designed to specifically protect your code:

    - -

    Remediation

    -

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-3817

    -
    - -
    - low severity -
    - -
    -
    • Package Manager: alpine:3.18 @@ -1071,6 +948,129 @@

      References

    +
    +

    Cross-site Scripting (XSS)

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    +

    Details

    +

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    +

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    +

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    +

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    +

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    +

    Types of attacks

    +

    There are a few methods by which XSS can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    +

    Affected environments

    +

    The following environments are susceptible to an XSS attack:

    + +

    How to prevent

    +

    This section describes the top best practices designed to specifically protect your code:

    + +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    diff --git a/docs/snyk/master/haproxy_2.6.14-alpine.html b/docs/snyk/master/haproxy_2.6.14-alpine.html index cabb372c109f5..5908a781791c8 100644 --- a/docs/snyk/master/haproxy_2.6.14-alpine.html +++ b/docs/snyk/master/haproxy_2.6.14-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:14:24 am (UTC+00:00)

    +

    August 13th 2023, 12:13:45 am (UTC+00:00)

    Scanned the following path: @@ -466,8 +466,8 @@

    Snyk test report

    -
    3 known vulnerabilities
    -
    27 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    18 dependencies
    @@ -484,546 +484,7 @@

    Snyk test report

    -
    -
    -

    Improper Authentication

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: The AES-SIV cipher implementation contains a bug that causes - it to ignore empty associated data entries which are unauthenticated as - a consequence.

    -

    Impact summary: Applications that use the AES-SIV algorithm and want to - authenticate empty data entries as associated data can be mislead by removing - adding or reordering such empty entries as these are ignored by the OpenSSL - implementation. We are currently unaware of any such applications.

    -

    The AES-SIV algorithm allows for authentication of multiple associated - data entries along with the encryption. To authenticate empty data the - application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with - NULL pointer as the output buffer and 0 as the input buffer length. - The AES-SIV implementation in OpenSSL just returns success for such a call - instead of performing the associated data authentication operation. - The empty data thus will not be authenticated.

    -

    As this issue does not affect non-empty associated data authentication and - we expect it to be rare for an application to use empty associated data - entries this is qualified as Low severity issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Inefficient Regular Expression Complexity

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    -

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() - or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long - delays. Where the key or parameters that are being checked have been obtained - from an untrusted source this may lead to a Denial of Service.

    -

    The function DH_check() performs various checks on DH parameters. One of those - checks confirms that the modulus ('p' parameter) is not too large. Trying to use - a very large modulus is slow and OpenSSL will not normally use a modulus which - is over 10,000 bits in length.

    -

    However the DH_check() function checks numerous aspects of the key or parameters - that have been supplied. Some of those checks use the supplied modulus value - even if it has already been found to be too large.

    -

    An application that calls DH_check() and supplies a key or parameters obtained - from an untrusted source could be vulernable to a Denial of Service attack.

    -

    The function DH_check() is itself called by a number of other OpenSSL functions. - An application calling any of those other functions may similarly be affected. - The other functions affected by this are DH_check_ex() and - EVP_PKEY_param_check().

    -

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications - when using the '-check' option.

    -

    The OpenSSL SSL/TLS implementation is not affected by this issue. - The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-3817

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    -

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() - or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long - delays. Where the key or parameters that are being checked have been obtained - from an untrusted source this may lead to a Denial of Service.

    -

    The function DH_check() performs various checks on DH parameters. After fixing - CVE-2023-3446 it was discovered that a large q parameter value can also trigger - an overly long computation during some of these checks. A correct q value, - if present, cannot be larger than the modulus p parameter, thus it is - unnecessary to perform these checks if q is larger than p.

    -

    An application that calls DH_check() and supplies a key or parameters obtained - from an untrusted source could be vulnerable to a Denial of Service attack.

    -

    The function DH_check() is itself called by a number of other OpenSSL functions. - An application calling any of those other functions may similarly be affected. - The other functions affected by this are DH_check_ex() and - EVP_PKEY_param_check().

    -

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications - when using the "-check" option.

    -

    The OpenSSL SSL/TLS implementation is not affected by this issue.

    -

    The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/docs/snyk/master/quay.io_argoproj_argocd_latest.html b/docs/snyk/master/quay.io_argoproj_argocd_latest.html index e47e9c2a08848..4e9f33b188f6e 100644 --- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html +++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:14:47 am (UTC+00:00)

    +

    August 13th 2023, 12:14:19 am (UTC+00:00)

    Scanned the following paths: @@ -467,8 +467,8 @@

    Snyk test report

    17 known vulnerabilities
    -
    74 vulnerable dependency paths
    -
    2126 dependencies
    +
    84 vulnerable dependency paths
    +
    2114 dependencies
    @@ -476,29 +476,29 @@

    Snyk test report

    -
    -

    Denial of Service (DoS)

    +
    +

    Out-of-bounds Write

    -
    - high severity +
    + medium severity
    • - Package Manager: golang + Package Manager: ubuntu:22.04
    • Vulnerable module: - nhooyr.io/websocket + procps/libprocps8
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and nhooyr.io/websocket@v1.8.6 + docker-image|quay.io/argoproj/argocd@latest and procps/libprocps8@2:3.3.17-6ubuntu2
    @@ -511,9 +511,29 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + docker-image|quay.io/argoproj/argocd@latest + + procps/libprocps8@2:3.3.17-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + procps@2:3.3.17-6ubuntu2 + + procps/libprocps8@2:3.3.17-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest - nhooyr.io/websocket@v1.8.6 + procps@2:3.3.17-6ubuntu2 @@ -524,40 +544,27 @@

      Detailed paths

      -

      Overview

      -

      nhooyr.io/websocket is a minimal and idiomatic WebSocket library for Go.

      -

      Affected versions of this package are vulnerable to Denial of Service (DoS). A double channel close panic is possible if a peer sent back multiple pongs for every ping. - If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and a panic would - occur.

      -

      Details

      -

      Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

      -

      Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

      -

      One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

      -

      When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

      -

      Two common types of DoS vulnerabilities:

      -
        -

      • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

        -
        • -

      • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

        -
        • -
      +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      +

      Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

      Remediation

      -

      Upgrade nhooyr.io/websocket to version 1.8.7 or higher.

      +

      There is no fixed version for Ubuntu:22.04 procps.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    CVE-2023-4016

    +

    CVE-2023-36054

    @@ -573,12 +580,12 @@

    CVE-2023-4016

  • Vulnerable module: - procps/libprocps8 + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@latest and procps/libprocps8@2:3.3.17-6ubuntu2 + docker-image|quay.io/argoproj/argocd@latest and krb5/libk5crypto3@1.19.2-2ubuntu0.2
    • @@ -593,7 +600,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - procps/libprocps8@2:3.3.17-6ubuntu2 + krb5/libk5crypto3@1.19.2-2ubuntu0.2 @@ -602,9 +609,19 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - procps@2:3.3.17-6ubuntu2 + adduser@3.118ubuntu5 - procps/libprocps8@2:3.3.17-6ubuntu2 + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 @@ -613,7 +630,129 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - procps@2:3.3.17-6ubuntu2 + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + + +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + openssh/openssh-client@1:8.9p1-3ubuntu0.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + meta-common-packages@meta + + krb5/libkrb5support0@1.19.2-2ubuntu0.2 @@ -625,21 +764,24 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04. +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

    +

    lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 procps.

    +

    There is no fixed version for Ubuntu:22.04 krb5.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    • @@ -1339,7 +1481,7 @@

    Detailed paths

    gnupg2/dirmngr@2.2.27-3ubuntu2.1 - openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1 + openldap/libldap-2.5-0@2.5.16+dfsg-0ubuntu0.22.04.1 @@ -1352,7 +1494,7 @@

    Detailed paths

    curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 - openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1 + openldap/libldap-2.5-0@2.5.16+dfsg-0ubuntu0.22.04.1 @@ -1361,7 +1503,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - openldap/libldap-common@2.5.15+dfsg-0ubuntu0.22.04.1 + openldap/libldap-common@2.5.16+dfsg-0ubuntu0.22.04.1 diff --git a/docs/snyk/master/redis_7.0.11-alpine.html b/docs/snyk/master/redis_7.0.11-alpine.html index d50f12a8913d2..43ad8c8b79904 100644 --- a/docs/snyk/master/redis_7.0.11-alpine.html +++ b/docs/snyk/master/redis_7.0.11-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:14:57 am (UTC+00:00)

    +

    August 13th 2023, 12:14:26 am (UTC+00:00)

    Scanned the following path: @@ -844,12 +844,12 @@

    References

    -
    -

    CVE-2023-3817

    +
    +

    Excessive Iteration

    -
    - low severity +
    + medium severity
    diff --git a/docs/snyk/v2.5.21/haproxy_2.6.14-alpine.html b/docs/snyk/v2.5.21/haproxy_2.6.14-alpine.html deleted file mode 100644 index 43a5d3be893f2..0000000000000 --- a/docs/snyk/v2.5.21/haproxy_2.6.14-alpine.html +++ /dev/null @@ -1,1031 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    August 6th 2023, 12:24:49 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • haproxy:2.6.14-alpine (apk)
      • -
    -
    - -
    -
    3 known vulnerabilities
    -
    27 vulnerable dependency paths
    -
    18 dependencies
    -
    -
    -
    -
    -
    - - - - - - - -
    Project docker-image|haproxy
    Path haproxy:2.6.14-alpine
    Package Manager apk
    -
    -
    -
    -
    -

    Improper Authentication

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: The AES-SIV cipher implementation contains a bug that causes - it to ignore empty associated data entries which are unauthenticated as - a consequence.

    -

    Impact summary: Applications that use the AES-SIV algorithm and want to - authenticate empty data entries as associated data can be mislead by removing - adding or reordering such empty entries as these are ignored by the OpenSSL - implementation. We are currently unaware of any such applications.

    -

    The AES-SIV algorithm allows for authentication of multiple associated - data entries along with the encryption. To authenticate empty data the - application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with - NULL pointer as the output buffer and 0 as the input buffer length. - The AES-SIV implementation in OpenSSL just returns success for such a call - instead of performing the associated data authentication operation. - The empty data thus will not be authenticated.

    -

    As this issue does not affect non-empty associated data authentication and - we expect it to be rare for an application to use empty associated data - entries this is qualified as Low severity issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Inefficient Regular Expression Complexity

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    -

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() - or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long - delays. Where the key or parameters that are being checked have been obtained - from an untrusted source this may lead to a Denial of Service.

    -

    The function DH_check() performs various checks on DH parameters. One of those - checks confirms that the modulus ('p' parameter) is not too large. Trying to use - a very large modulus is slow and OpenSSL will not normally use a modulus which - is over 10,000 bits in length.

    -

    However the DH_check() function checks numerous aspects of the key or parameters - that have been supplied. Some of those checks use the supplied modulus value - even if it has already been found to be too large.

    -

    An application that calls DH_check() and supplies a key or parameters obtained - from an untrusted source could be vulernable to a Denial of Service attack.

    -

    The function DH_check() is itself called by a number of other OpenSSL functions. - An application calling any of those other functions may similarly be affected. - The other functions affected by this are DH_check_ex() and - EVP_PKEY_param_check().

    -

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications - when using the '-check' option.

    -

    The OpenSSL SSL/TLS implementation is not affected by this issue. - The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-3817

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    -

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() - or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long - delays. Where the key or parameters that are being checked have been obtained - from an untrusted source this may lead to a Denial of Service.

    -

    The function DH_check() performs various checks on DH parameters. After fixing - CVE-2023-3446 it was discovered that a large q parameter value can also trigger - an overly long computation during some of these checks. A correct q value, - if present, cannot be larger than the modulus p parameter, thus it is - unnecessary to perform these checks if q is larger than p.

    -

    An application that calls DH_check() and supplies a key or parameters obtained - from an untrusted source could be vulnerable to a Denial of Service attack.

    -

    The function DH_check() is itself called by a number of other OpenSSL functions. - An application calling any of those other functions may similarly be affected. - The other functions affected by this are DH_check_ex() and - EVP_PKEY_param_check().

    -

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications - when using the "-check" option.

    -

    The OpenSSL SSL/TLS implementation is not affected by this issue.

    -

    The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v2.5.21/argocd-iac-install.html b/docs/snyk/v2.5.22/argocd-iac-install.html similarity index 99% rename from docs/snyk/v2.5.21/argocd-iac-install.html rename to docs/snyk/v2.5.22/argocd-iac-install.html index 877a64411205a..312be3f446992 100644 --- a/docs/snyk/v2.5.21/argocd-iac-install.html +++ b/docs/snyk/v2.5.22/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:26:07 am (UTC+00:00)

    +

    August 13th 2023, 12:26:29 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.5.21/argocd-iac-namespace-install.html b/docs/snyk/v2.5.22/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v2.5.21/argocd-iac-namespace-install.html rename to docs/snyk/v2.5.22/argocd-iac-namespace-install.html index 8eefa6b405146..1932c53c9ffaf 100644 --- a/docs/snyk/v2.5.21/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.5.22/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:26:17 am (UTC+00:00)

    +

    August 13th 2023, 12:26:46 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.5.21/argocd-test.html b/docs/snyk/v2.5.22/argocd-test.html similarity index 99% rename from docs/snyk/v2.5.21/argocd-test.html rename to docs/snyk/v2.5.22/argocd-test.html index 72561b2cb2f25..fc57771eb95e8 100644 --- a/docs/snyk/v2.5.21/argocd-test.html +++ b/docs/snyk/v2.5.22/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:24:35 am (UTC+00:00)

    +

    August 13th 2023, 12:24:50 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.7.10/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.5.22/ghcr.io_dexidp_dex_v2.37.0.html similarity index 99% rename from docs/snyk/v2.7.10/ghcr.io_dexidp_dex_v2.37.0.html rename to docs/snyk/v2.5.22/ghcr.io_dexidp_dex_v2.37.0.html index 6e13ca3147f6c..854284df5423c 100644 --- a/docs/snyk/v2.7.10/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.5.22/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:19:51 am (UTC+00:00)

    +

    August 13th 2023, 12:25:00 am (UTC+00:00)

    Scanned the following paths: @@ -792,7 +792,7 @@

    References

    -

    Cross-site Scripting (XSS)

    +

    Excessive Iteration

    @@ -801,129 +801,6 @@

    Cross-site Scripting (XSS)

    -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/html -
      • - -
    • Introduced through: - - github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/dexidp/dex@* - - golang.org/x/net/html@v0.11.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    -

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    -

    Details

    -

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    -

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    -

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    -

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    -

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    -

    Types of attacks

    -

    There are a few methods by which XSS can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    -

    Affected environments

    -

    The following environments are susceptible to an XSS attack:

    -
      -
    • Web servers
      • -
    • Application servers
      • -
    • Web application environments
      • -
    -

    How to prevent

    -

    This section describes the top best practices designed to specifically protect your code:

    -
      -
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • -
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • -
    • Give users the option to disable client-side scripts.
      • -
    • Redirect invalid requests.
      • -
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • -
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • -
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-3817

    -
    - -
    - low severity -
    - -
    -
    • Package Manager: alpine:3.18 @@ -1071,6 +948,129 @@

      References

    +
    +

    Cross-site Scripting (XSS)

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    +

    Details

    +

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    +

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    +

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    +

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    +

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    +

    Types of attacks

    +

    There are a few methods by which XSS can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    +

    Affected environments

    +

    The following environments are susceptible to an XSS attack:

    +
      +
    • Web servers
      • +
    • Application servers
      • +
    • Web application environments
      • +
    +

    How to prevent

    +

    This section describes the top best practices designed to specifically protect your code:

    +
      +
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • +
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • +
    • Give users the option to disable client-side scripts.
      • +
    • Redirect invalid requests.
      • +
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • +
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • +
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • +
    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    diff --git a/docs/snyk/v2.5.22/haproxy_2.6.14-alpine.html b/docs/snyk/v2.5.22/haproxy_2.6.14-alpine.html new file mode 100644 index 0000000000000..1dcc1270d0916 --- /dev/null +++ b/docs/snyk/v2.5.22/haproxy_2.6.14-alpine.html @@ -0,0 +1,492 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    August 13th 2023, 12:25:04 am (UTC+00:00)

    +
    +
    + Scanned the following path: +
      +
    • haproxy:2.6.14-alpine (apk)
      • +
    +
    + +
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    +
    18 dependencies
    +
    +
    +
    +
    +
    + + + + + + + +
    Project docker-image|haproxy
    Path haproxy:2.6.14-alpine
    Package Manager apk
    +
    +
    + No known vulnerabilities detected. +
    +
    + + + diff --git a/docs/snyk/v2.5.21/quay.io_argoproj_argocd_v2.5.21.html b/docs/snyk/v2.5.22/quay.io_argoproj_argocd_v2.5.22.html similarity index 91% rename from docs/snyk/v2.5.21/quay.io_argoproj_argocd_v2.5.21.html rename to docs/snyk/v2.5.22/quay.io_argoproj_argocd_v2.5.22.html index e2703c65c69b8..9d6a2c6436095 100644 --- a/docs/snyk/v2.5.21/quay.io_argoproj_argocd_v2.5.21.html +++ b/docs/snyk/v2.5.22/quay.io_argoproj_argocd_v2.5.22.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,18 +456,18 @@

    Snyk test report

    -

    August 6th 2023, 12:25:08 am (UTC+00:00)

    +

    August 13th 2023, 12:25:25 am (UTC+00:00)

    Scanned the following paths:
      -
    • quay.io/argoproj/argocd:v2.5.21/argoproj/argocd (deb)
    • quay.io/argoproj/argocd:v2.5.21/argoproj/argo-cd/v2 (gomodules)
    • quay.io/argoproj/argocd:v2.5.21/kustomize/kustomize/v4 (gomodules)
    • quay.io/argoproj/argocd:v2.5.21/helm/v3 (gomodules)
    • quay.io/argoproj/argocd:v2.5.21/git-lfs/git-lfs (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.5.22/argoproj/argocd (deb)
    • quay.io/argoproj/argocd:v2.5.22/argoproj/argo-cd/v2 (gomodules)
    • quay.io/argoproj/argocd:v2.5.22/kustomize/kustomize/v4 (gomodules)
    • quay.io/argoproj/argocd:v2.5.22/helm/v3 (gomodules)
    • quay.io/argoproj/argocd:v2.5.22/git-lfs/git-lfs (gomodules)
    28 known vulnerabilities
    -
    87 vulnerable dependency paths
    +
    97 vulnerable dependency paths
    2047 dependencies
    @@ -879,7 +879,7 @@

    References

    -

    CVE-2023-4016

    +

    Out-of-bounds Write

    @@ -900,7 +900,7 @@

    CVE-2023-4016

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and procps/libprocps8@2:3.3.17-6ubuntu2 + docker-image|quay.io/argoproj/argocd@v2.5.22 and procps/libprocps8@2:3.3.17-6ubuntu2
    • @@ -913,7 +913,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 procps/libprocps8@2:3.3.17-6ubuntu2 @@ -922,7 +922,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 procps@2:3.3.17-6ubuntu2 @@ -933,7 +933,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 procps@2:3.3.17-6ubuntu2 @@ -966,7 +966,7 @@

      References

    -

    Unquoted Search Path or Element

    +

    CVE-2023-36054

    @@ -982,12 +982,12 @@

    Unquoted Search Path or Element

  • Vulnerable module: - openssh/openssh-client + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.5.22 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
    • @@ -1000,9 +1000,161 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.22 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.22 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.22 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.22 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.22 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.22 + + openssh/openssh-client@1:8.9p1-3ubuntu0.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.22 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.22 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.22 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.22 + + meta-common-packages@meta + + krb5/libkrb5support0@1.19.2-2ubuntu0.2 @@ -1014,35 +1166,24 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu:22.04. +

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

      +

      lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

      Remediation

      -

      Upgrade Ubuntu:22.04 openssh to version 1:8.9p1-3ubuntu0.3 or higher.

      +

      There is no fixed version for Ubuntu:22.04 krb5.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1503,7 +1644,7 @@

    CVE-2022-46908

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21, gnupg2/gpg@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.5.22, gnupg2/gpg@2.2.27-3ubuntu2.1 and others
    • @@ -1515,7 +1656,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -1574,7 +1715,7 @@

      Arbitrary Code Injection

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and shadow/passwd@1:4.8.1-2ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.5.22 and shadow/passwd@1:4.8.1-2ubuntu2.1
    @@ -1587,7 +1728,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -1596,7 +1737,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 adduser@3.118ubuntu5 @@ -1607,9 +1748,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -1618,7 +1759,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 shadow/login@1:4.8.1-2ubuntu2.1 @@ -1675,7 +1816,7 @@

      Uncontrolled Recursion

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 + docker-image|quay.io/argoproj/argocd@v2.5.22 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
    @@ -1688,7 +1829,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 @@ -1697,7 +1838,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 grep@3.7-1build1 @@ -1759,7 +1900,7 @@

      Release of Invalid Pointer or Reference

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.5.22 and patch@2.7.6-7build2
    @@ -1772,7 +1913,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 patch@2.7.6-7build2 @@ -1826,7 +1967,7 @@

      Double Free

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.5.22 and patch@2.7.6-7build2
    @@ -1839,7 +1980,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 patch@2.7.6-7build2 @@ -1898,7 +2039,7 @@

      Improper Authentication

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and openssl/libssl3@3.0.2-0ubuntu1.10 + docker-image|quay.io/argoproj/argocd@v2.5.22 and openssl/libssl3@3.0.2-0ubuntu1.10
    @@ -1911,7 +2052,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 openssl/libssl3@3.0.2-0ubuntu1.10 @@ -1920,7 +2061,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 @@ -1931,7 +2072,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 libfido2/libfido2-1@1.10.0-1 @@ -1942,9 +2083,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 openssl/libssl3@3.0.2-0ubuntu1.10 @@ -1953,7 +2094,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 ca-certificates@20230311ubuntu0.22.04.1 @@ -1966,11 +2107,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 @@ -1981,7 +2122,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 adduser@3.118ubuntu5 @@ -2004,7 +2145,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 openssl@3.0.2-0ubuntu1.10 @@ -2013,7 +2154,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 ca-certificates@20230311ubuntu0.22.04.1 @@ -2090,7 +2231,7 @@

      CVE-2023-28531

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.5.22 and openssh/openssh-client@1:8.9p1-3ubuntu0.3
    @@ -2103,9 +2244,9 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 @@ -2160,7 +2301,7 @@

      NULL Pointer Dereference

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.5.22, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others
    @@ -2172,33 +2313,33 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/dirmngr@2.2.27-3ubuntu2.1 - openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 - openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 - openldap/libldap-common@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-common@2.5.15+dfsg-0ubuntu0.22.04.1 @@ -2259,7 +2400,7 @@

      Resource Exhaustion

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21, meta-common-packages@meta and others + docker-image|quay.io/argoproj/argocd@v2.5.22, meta-common-packages@meta and others
    @@ -2271,7 +2412,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 meta-common-packages@meta @@ -2328,7 +2469,7 @@

      Integer Overflow or Wraparound

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and krb5/libk5crypto3@1.19.2-2ubuntu0.2 + docker-image|quay.io/argoproj/argocd@v2.5.22 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
    @@ -2341,7 +2482,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 krb5/libk5crypto3@1.19.2-2ubuntu0.2 @@ -2350,7 +2491,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 adduser@3.118ubuntu5 @@ -2371,7 +2512,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 adduser@3.118ubuntu5 @@ -2394,7 +2535,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 krb5/libkrb5-3@1.19.2-2ubuntu0.2 @@ -2403,7 +2544,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 adduser@3.118ubuntu5 @@ -2424,7 +2565,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -2433,9 +2574,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -2444,11 +2585,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -2457,11 +2598,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 @@ -2472,7 +2613,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 adduser@3.118ubuntu5 @@ -2491,7 +2632,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 meta-common-packages@meta @@ -2550,7 +2691,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and gnupg2/gpgv@2.2.27-3ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.5.22 and gnupg2/gpgv@2.2.27-3ubuntu2.1
    @@ -2563,7 +2704,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -2572,7 +2713,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 apt@2.4.9 @@ -2583,7 +2724,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2594,7 +2735,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2605,7 +2746,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2616,7 +2757,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2629,7 +2770,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2642,7 +2783,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2651,7 +2792,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2662,7 +2803,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2675,7 +2816,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 @@ -2684,7 +2825,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2695,7 +2836,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 @@ -2704,7 +2845,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2715,7 +2856,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2724,7 +2865,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2735,7 +2876,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2748,7 +2889,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2761,7 +2902,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 @@ -2770,7 +2911,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2781,7 +2922,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2794,7 +2935,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2807,7 +2948,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 @@ -2816,7 +2957,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2827,7 +2968,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 @@ -2836,7 +2977,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2847,7 +2988,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gpgsm@2.2.27-3ubuntu2.1 @@ -2856,7 +2997,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2867,7 +3008,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2926,7 +3067,7 @@

      Allocation of Resources Without Limits or Throttling

      Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and glibc/libc-bin@2.35-0ubuntu3.1 + docker-image|quay.io/argoproj/argocd@v2.5.22 and glibc/libc-bin@2.35-0ubuntu3.1
    @@ -2939,7 +3080,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 glibc/libc-bin@2.35-0ubuntu3.1 @@ -2948,7 +3089,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 meta-common-packages@meta @@ -3007,7 +3148,7 @@

      Improper Input Validation

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21, git@1:2.34.1-1ubuntu1.9 and others + docker-image|quay.io/argoproj/argocd@v2.5.22, git@1:2.34.1-1ubuntu1.9 and others
    @@ -3019,7 +3160,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 git@1:2.34.1-1ubuntu1.9 @@ -3030,7 +3171,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 git@1:2.34.1-1ubuntu1.9 @@ -3039,7 +3180,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 git-lfs@3.0.2-1ubuntu0.2 @@ -3096,7 +3237,7 @@

      Improper Input Validation

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and coreutils@8.32-4.1ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.5.22 and coreutils@8.32-4.1ubuntu1
    @@ -3109,7 +3250,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 coreutils@8.32-4.1ubuntu1 @@ -3166,7 +3307,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 and bash@5.1-6ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.5.22 and bash@5.1-6ubuntu1
    @@ -3179,7 +3320,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.21 + docker-image|quay.io/argoproj/argocd@v2.5.22 bash@5.1-6ubuntu1 diff --git a/docs/snyk/v2.7.10/redis_7.0.11-alpine.html b/docs/snyk/v2.5.22/redis_7.0.11-alpine.html similarity index 99% rename from docs/snyk/v2.7.10/redis_7.0.11-alpine.html rename to docs/snyk/v2.5.22/redis_7.0.11-alpine.html index dc7d6f7ecb4a1..8632f50ae8e07 100644 --- a/docs/snyk/v2.7.10/redis_7.0.11-alpine.html +++ b/docs/snyk/v2.5.22/redis_7.0.11-alpine.html @@ -456,7 +456,7 @@

      Snyk test report

      -

      August 6th 2023, 12:20:21 am (UTC+00:00)

      +

      August 13th 2023, 12:25:30 am (UTC+00:00)

      Scanned the following path: @@ -844,12 +844,12 @@

      References

    -
    -

    CVE-2023-3817

    +
    +

    Excessive Iteration

    -
    - low severity +
    + medium severity
    diff --git a/docs/snyk/v2.6.13/haproxy_2.6.14-alpine.html b/docs/snyk/v2.6.13/haproxy_2.6.14-alpine.html deleted file mode 100644 index 66737e1821f83..0000000000000 --- a/docs/snyk/v2.6.13/haproxy_2.6.14-alpine.html +++ /dev/null @@ -1,1031 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    August 6th 2023, 12:22:22 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • haproxy:2.6.14-alpine (apk)
      • -
    -
    - -
    -
    3 known vulnerabilities
    -
    27 vulnerable dependency paths
    -
    18 dependencies
    -
    -
    -
    -
    -
    - - - - - - - -
    Project docker-image|haproxy
    Path haproxy:2.6.14-alpine
    Package Manager apk
    -
    -
    -
    -
    -

    Improper Authentication

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: The AES-SIV cipher implementation contains a bug that causes - it to ignore empty associated data entries which are unauthenticated as - a consequence.

    -

    Impact summary: Applications that use the AES-SIV algorithm and want to - authenticate empty data entries as associated data can be mislead by removing - adding or reordering such empty entries as these are ignored by the OpenSSL - implementation. We are currently unaware of any such applications.

    -

    The AES-SIV algorithm allows for authentication of multiple associated - data entries along with the encryption. To authenticate empty data the - application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with - NULL pointer as the output buffer and 0 as the input buffer length. - The AES-SIV implementation in OpenSSL just returns success for such a call - instead of performing the associated data authentication operation. - The empty data thus will not be authenticated.

    -

    As this issue does not affect non-empty associated data authentication and - we expect it to be rare for an application to use empty associated data - entries this is qualified as Low severity issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Inefficient Regular Expression Complexity

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    -

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() - or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long - delays. Where the key or parameters that are being checked have been obtained - from an untrusted source this may lead to a Denial of Service.

    -

    The function DH_check() performs various checks on DH parameters. One of those - checks confirms that the modulus ('p' parameter) is not too large. Trying to use - a very large modulus is slow and OpenSSL will not normally use a modulus which - is over 10,000 bits in length.

    -

    However the DH_check() function checks numerous aspects of the key or parameters - that have been supplied. Some of those checks use the supplied modulus value - even if it has already been found to be too large.

    -

    An application that calls DH_check() and supplies a key or parameters obtained - from an untrusted source could be vulernable to a Denial of Service attack.

    -

    The function DH_check() is itself called by a number of other OpenSSL functions. - An application calling any of those other functions may similarly be affected. - The other functions affected by this are DH_check_ex() and - EVP_PKEY_param_check().

    -

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications - when using the '-check' option.

    -

    The OpenSSL SSL/TLS implementation is not affected by this issue. - The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-3817

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    -

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() - or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long - delays. Where the key or parameters that are being checked have been obtained - from an untrusted source this may lead to a Denial of Service.

    -

    The function DH_check() performs various checks on DH parameters. After fixing - CVE-2023-3446 it was discovered that a large q parameter value can also trigger - an overly long computation during some of these checks. A correct q value, - if present, cannot be larger than the modulus p parameter, thus it is - unnecessary to perform these checks if q is larger than p.

    -

    An application that calls DH_check() and supplies a key or parameters obtained - from an untrusted source could be vulnerable to a Denial of Service attack.

    -

    The function DH_check() is itself called by a number of other OpenSSL functions. - An application calling any of those other functions may similarly be affected. - The other functions affected by this are DH_check_ex() and - EVP_PKEY_param_check().

    -

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications - when using the "-check" option.

    -

    The OpenSSL SSL/TLS implementation is not affected by this issue.

    -

    The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v2.6.13/argocd-iac-install.html b/docs/snyk/v2.6.14/argocd-iac-install.html similarity index 99% rename from docs/snyk/v2.6.13/argocd-iac-install.html rename to docs/snyk/v2.6.14/argocd-iac-install.html index 287abd5cc29ef..6279b54663276 100644 --- a/docs/snyk/v2.6.13/argocd-iac-install.html +++ b/docs/snyk/v2.6.14/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:24:07 am (UTC+00:00)

    +

    August 13th 2023, 12:24:11 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.6.13/argocd-iac-namespace-install.html b/docs/snyk/v2.6.14/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v2.6.13/argocd-iac-namespace-install.html rename to docs/snyk/v2.6.14/argocd-iac-namespace-install.html index 86fa68d4ff535..f242ea2ce943e 100644 --- a/docs/snyk/v2.6.13/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.6.14/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:24:18 am (UTC+00:00)

    +

    August 13th 2023, 12:24:31 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.6.13/argocd-test.html b/docs/snyk/v2.6.14/argocd-test.html similarity index 99% rename from docs/snyk/v2.6.13/argocd-test.html rename to docs/snyk/v2.6.14/argocd-test.html index cf9d2c9604c15..6bb7dda5535f3 100644 --- a/docs/snyk/v2.6.13/argocd-test.html +++ b/docs/snyk/v2.6.14/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:22:11 am (UTC+00:00)

    +

    August 13th 2023, 12:22:11 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.6.13/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.6.14/ghcr.io_dexidp_dex_v2.37.0.html similarity index 99% rename from docs/snyk/v2.6.13/ghcr.io_dexidp_dex_v2.37.0.html rename to docs/snyk/v2.6.14/ghcr.io_dexidp_dex_v2.37.0.html index e8a88abf81efe..ce3acf27ba464 100644 --- a/docs/snyk/v2.6.13/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.6.14/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:22:18 am (UTC+00:00)

    +

    August 13th 2023, 12:22:18 am (UTC+00:00)

    Scanned the following paths: @@ -792,7 +792,7 @@

    References

    -

    Cross-site Scripting (XSS)

    +

    Excessive Iteration

    @@ -801,129 +801,6 @@

    Cross-site Scripting (XSS)

    -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/html -
      • - -
    • Introduced through: - - github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/dexidp/dex@* - - golang.org/x/net/html@v0.11.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    -

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    -

    Details

    -

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    -

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    -

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    -

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    -

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    -

    Types of attacks

    -

    There are a few methods by which XSS can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    -

    Affected environments

    -

    The following environments are susceptible to an XSS attack:

    -
      -
    • Web servers
      • -
    • Application servers
      • -
    • Web application environments
      • -
    -

    How to prevent

    -

    This section describes the top best practices designed to specifically protect your code:

    -
      -
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • -
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • -
    • Give users the option to disable client-side scripts.
      • -
    • Redirect invalid requests.
      • -
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • -
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • -
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-3817

    -
    - -
    - low severity -
    - -
    -
    • Package Manager: alpine:3.18 @@ -1071,6 +948,129 @@

      References

    +
    +

    Cross-site Scripting (XSS)

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    +

    Details

    +

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    +

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    +

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    +

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    +

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    +

    Types of attacks

    +

    There are a few methods by which XSS can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    +

    Affected environments

    +

    The following environments are susceptible to an XSS attack:

    +
      +
    • Web servers
      • +
    • Application servers
      • +
    • Web application environments
      • +
    +

    How to prevent

    +

    This section describes the top best practices designed to specifically protect your code:

    +
      +
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • +
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • +
    • Give users the option to disable client-side scripts.
      • +
    • Redirect invalid requests.
      • +
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • +
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • +
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • +
    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    diff --git a/docs/snyk/v2.6.14/haproxy_2.6.14-alpine.html b/docs/snyk/v2.6.14/haproxy_2.6.14-alpine.html new file mode 100644 index 0000000000000..ce2cdd4fbc859 --- /dev/null +++ b/docs/snyk/v2.6.14/haproxy_2.6.14-alpine.html @@ -0,0 +1,492 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    August 13th 2023, 12:22:23 am (UTC+00:00)

    +
    +
    + Scanned the following path: +
      +
    • haproxy:2.6.14-alpine (apk)
      • +
    +
    + +
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    +
    18 dependencies
    +
    +
    +
    +
    +
    + + + + + + + +
    Project docker-image|haproxy
    Path haproxy:2.6.14-alpine
    Package Manager apk
    +
    +
    + No known vulnerabilities detected. +
    +
    + + + diff --git a/docs/snyk/v2.6.13/quay.io_argoproj_argocd_v2.6.13.html b/docs/snyk/v2.6.14/quay.io_argoproj_argocd_v2.6.14.html similarity index 90% rename from docs/snyk/v2.6.13/quay.io_argoproj_argocd_v2.6.13.html rename to docs/snyk/v2.6.14/quay.io_argoproj_argocd_v2.6.14.html index 5801ea204e715..4db5b90015ec7 100644 --- a/docs/snyk/v2.6.13/quay.io_argoproj_argocd_v2.6.13.html +++ b/docs/snyk/v2.6.14/quay.io_argoproj_argocd_v2.6.14.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,18 +456,18 @@

    Snyk test report

    -

    August 6th 2023, 12:22:46 am (UTC+00:00)

    +

    August 13th 2023, 12:22:43 am (UTC+00:00)

    Scanned the following paths:
      -
    • quay.io/argoproj/argocd:v2.6.13/argoproj/argocd (deb)
    • quay.io/argoproj/argocd:v2.6.13/argoproj/argo-cd/v2 (gomodules)
    • quay.io/argoproj/argocd:v2.6.13/kustomize/kustomize/v4 (gomodules)
    • quay.io/argoproj/argocd:v2.6.13/helm/v3 (gomodules)
    • quay.io/argoproj/argocd:v2.6.13/git-lfs/git-lfs (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.6.14/argoproj/argocd (deb)
    • quay.io/argoproj/argocd:v2.6.14/argoproj/argo-cd/v2 (gomodules)
    • quay.io/argoproj/argocd:v2.6.14/kustomize/kustomize/v4 (gomodules)
    • quay.io/argoproj/argocd:v2.6.14/helm/v3 (gomodules)
    • quay.io/argoproj/argocd:v2.6.14/git-lfs/git-lfs (gomodules)
    26 known vulnerabilities
    -
    85 vulnerable dependency paths
    +
    95 vulnerable dependency paths
    2064 dependencies
    @@ -879,7 +879,7 @@

    References

    -

    CVE-2023-4016

    +

    Out-of-bounds Write

    @@ -900,7 +900,7 @@

    CVE-2023-4016

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and procps/libprocps8@2:3.3.17-6ubuntu2 + docker-image|quay.io/argoproj/argocd@v2.6.14 and procps/libprocps8@2:3.3.17-6ubuntu2
    • @@ -913,7 +913,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 procps/libprocps8@2:3.3.17-6ubuntu2 @@ -922,7 +922,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 procps@2:3.3.17-6ubuntu2 @@ -933,7 +933,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 procps@2:3.3.17-6ubuntu2 @@ -966,7 +966,7 @@

      References

    -

    Unquoted Search Path or Element

    +

    CVE-2023-36054

    @@ -982,12 +982,12 @@

    Unquoted Search Path or Element

  • Vulnerable module: - openssh/openssh-client + krb5/libk5crypto3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.6.14 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
    • @@ -1000,9 +1000,161 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.14 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.14 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.14 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.14 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.14 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.14 + + openssh/openssh-client@1:8.9p1-3ubuntu0.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.14 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.14 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.14 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.14 + + meta-common-packages@meta + + krb5/libkrb5support0@1.19.2-2ubuntu0.2 @@ -1014,35 +1166,24 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu:22.04. +

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

      +

      lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

      Remediation

      -

      Upgrade Ubuntu:22.04 openssh to version 1:8.9p1-3ubuntu0.3 or higher.

      +

      There is no fixed version for Ubuntu:22.04 krb5.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1357,7 +1498,7 @@

    CVE-2022-46908

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13, gnupg2/gpg@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.6.14, gnupg2/gpg@2.2.27-3ubuntu2.1 and others
    • @@ -1369,7 +1510,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -1428,7 +1569,7 @@

      Arbitrary Code Injection

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and shadow/passwd@1:4.8.1-2ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.6.14 and shadow/passwd@1:4.8.1-2ubuntu2.1
    @@ -1441,7 +1582,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -1450,7 +1591,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 adduser@3.118ubuntu5 @@ -1461,9 +1602,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -1472,7 +1613,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 shadow/login@1:4.8.1-2ubuntu2.1 @@ -1529,7 +1670,7 @@

      Uncontrolled Recursion

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 + docker-image|quay.io/argoproj/argocd@v2.6.14 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
    @@ -1542,7 +1683,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 @@ -1551,7 +1692,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 grep@3.7-1build1 @@ -1613,7 +1754,7 @@

      Release of Invalid Pointer or Reference

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.6.14 and patch@2.7.6-7build2
    @@ -1626,7 +1767,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 patch@2.7.6-7build2 @@ -1680,7 +1821,7 @@

      Double Free

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.6.14 and patch@2.7.6-7build2
    @@ -1693,7 +1834,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 patch@2.7.6-7build2 @@ -1752,7 +1893,7 @@

      Improper Authentication

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and openssl/libssl3@3.0.2-0ubuntu1.10 + docker-image|quay.io/argoproj/argocd@v2.6.14 and openssl/libssl3@3.0.2-0ubuntu1.10
    @@ -1765,7 +1906,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 openssl/libssl3@3.0.2-0ubuntu1.10 @@ -1774,7 +1915,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 @@ -1785,7 +1926,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 libfido2/libfido2-1@1.10.0-1 @@ -1796,9 +1937,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 openssl/libssl3@3.0.2-0ubuntu1.10 @@ -1807,7 +1948,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 ca-certificates@20230311ubuntu0.22.04.1 @@ -1820,11 +1961,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 @@ -1835,7 +1976,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 adduser@3.118ubuntu5 @@ -1858,7 +1999,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 openssl@3.0.2-0ubuntu1.10 @@ -1867,7 +2008,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 ca-certificates@20230311ubuntu0.22.04.1 @@ -1944,7 +2085,7 @@

      CVE-2023-28531

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.6.14 and openssh/openssh-client@1:8.9p1-3ubuntu0.3
    @@ -1957,9 +2098,9 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 @@ -2014,7 +2155,7 @@

      NULL Pointer Dereference

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.6.14, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others
    @@ -2026,33 +2167,33 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/dirmngr@2.2.27-3ubuntu2.1 - openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 - openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 - openldap/libldap-common@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-common@2.5.15+dfsg-0ubuntu0.22.04.1 @@ -2113,7 +2254,7 @@

      Resource Exhaustion

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13, meta-common-packages@meta and others + docker-image|quay.io/argoproj/argocd@v2.6.14, meta-common-packages@meta and others
    @@ -2125,7 +2266,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 meta-common-packages@meta @@ -2182,7 +2323,7 @@

      Integer Overflow or Wraparound

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and krb5/libk5crypto3@1.19.2-2ubuntu0.2 + docker-image|quay.io/argoproj/argocd@v2.6.14 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
    @@ -2195,7 +2336,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 krb5/libk5crypto3@1.19.2-2ubuntu0.2 @@ -2204,7 +2345,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 adduser@3.118ubuntu5 @@ -2225,7 +2366,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 adduser@3.118ubuntu5 @@ -2248,7 +2389,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 krb5/libkrb5-3@1.19.2-2ubuntu0.2 @@ -2257,7 +2398,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 adduser@3.118ubuntu5 @@ -2278,7 +2419,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -2287,9 +2428,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -2298,11 +2439,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -2311,11 +2452,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 @@ -2326,7 +2467,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 adduser@3.118ubuntu5 @@ -2345,7 +2486,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 meta-common-packages@meta @@ -2404,7 +2545,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and gnupg2/gpgv@2.2.27-3ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.6.14 and gnupg2/gpgv@2.2.27-3ubuntu2.1
    @@ -2417,7 +2558,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -2426,7 +2567,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 apt@2.4.9 @@ -2437,7 +2578,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2448,7 +2589,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2459,7 +2600,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2470,7 +2611,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2483,7 +2624,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2496,7 +2637,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2505,7 +2646,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2516,7 +2657,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2529,7 +2670,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 @@ -2538,7 +2679,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2549,7 +2690,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 @@ -2558,7 +2699,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2569,7 +2710,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2578,7 +2719,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2589,7 +2730,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2602,7 +2743,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2615,7 +2756,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 @@ -2624,7 +2765,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2635,7 +2776,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2648,7 +2789,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2661,7 +2802,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 @@ -2670,7 +2811,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2681,7 +2822,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 @@ -2690,7 +2831,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2701,7 +2842,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gpgsm@2.2.27-3ubuntu2.1 @@ -2710,7 +2851,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2721,7 +2862,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2780,7 +2921,7 @@

      Allocation of Resources Without Limits or Throttling

      Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and glibc/libc-bin@2.35-0ubuntu3.1 + docker-image|quay.io/argoproj/argocd@v2.6.14 and glibc/libc-bin@2.35-0ubuntu3.1
    @@ -2793,7 +2934,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 glibc/libc-bin@2.35-0ubuntu3.1 @@ -2802,7 +2943,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 meta-common-packages@meta @@ -2861,7 +3002,7 @@

      Improper Input Validation

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13, git@1:2.34.1-1ubuntu1.9 and others + docker-image|quay.io/argoproj/argocd@v2.6.14, git@1:2.34.1-1ubuntu1.9 and others
    @@ -2873,7 +3014,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 git@1:2.34.1-1ubuntu1.9 @@ -2884,7 +3025,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 git@1:2.34.1-1ubuntu1.9 @@ -2893,7 +3034,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 git-lfs@3.0.2-1ubuntu0.2 @@ -2950,7 +3091,7 @@

      Improper Input Validation

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and coreutils@8.32-4.1ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.6.14 and coreutils@8.32-4.1ubuntu1
    @@ -2963,7 +3104,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 coreutils@8.32-4.1ubuntu1 @@ -3020,7 +3161,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 and bash@5.1-6ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.6.14 and bash@5.1-6ubuntu1
    @@ -3033,7 +3174,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.13 + docker-image|quay.io/argoproj/argocd@v2.6.14 bash@5.1-6ubuntu1 diff --git a/docs/snyk/v2.5.21/redis_7.0.11-alpine.html b/docs/snyk/v2.6.14/redis_7.0.11-alpine.html similarity index 99% rename from docs/snyk/v2.5.21/redis_7.0.11-alpine.html rename to docs/snyk/v2.6.14/redis_7.0.11-alpine.html index 1c90a35caf6f8..fc44050d1a0c3 100644 --- a/docs/snyk/v2.5.21/redis_7.0.11-alpine.html +++ b/docs/snyk/v2.6.14/redis_7.0.11-alpine.html @@ -456,7 +456,7 @@

      Snyk test report

      -

      August 6th 2023, 12:25:13 am (UTC+00:00)

      +

      August 13th 2023, 12:22:49 am (UTC+00:00)

      Scanned the following path: @@ -844,12 +844,12 @@

      References

    -
    -

    CVE-2023-3817

    +
    +

    Excessive Iteration

    -
    - low severity +
    + medium severity
    diff --git a/docs/snyk/v2.7.10/haproxy_2.6.14-alpine.html b/docs/snyk/v2.7.10/haproxy_2.6.14-alpine.html deleted file mode 100644 index 1c387dbb62e40..0000000000000 --- a/docs/snyk/v2.7.10/haproxy_2.6.14-alpine.html +++ /dev/null @@ -1,1031 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    August 6th 2023, 12:19:56 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • haproxy:2.6.14-alpine (apk)
      • -
    -
    - -
    -
    3 known vulnerabilities
    -
    27 vulnerable dependency paths
    -
    18 dependencies
    -
    -
    -
    -
    -
    - - - - - - - -
    Project docker-image|haproxy
    Path haproxy:2.6.14-alpine
    Package Manager apk
    -
    -
    -
    -
    -

    Improper Authentication

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: The AES-SIV cipher implementation contains a bug that causes - it to ignore empty associated data entries which are unauthenticated as - a consequence.

    -

    Impact summary: Applications that use the AES-SIV algorithm and want to - authenticate empty data entries as associated data can be mislead by removing - adding or reordering such empty entries as these are ignored by the OpenSSL - implementation. We are currently unaware of any such applications.

    -

    The AES-SIV algorithm allows for authentication of multiple associated - data entries along with the encryption. To authenticate empty data the - application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with - NULL pointer as the output buffer and 0 as the input buffer length. - The AES-SIV implementation in OpenSSL just returns success for such a call - instead of performing the associated data authentication operation. - The empty data thus will not be authenticated.

    -

    As this issue does not affect non-empty associated data authentication and - we expect it to be rare for an application to use empty associated data - entries this is qualified as Low severity issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Inefficient Regular Expression Complexity

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    -

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() - or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long - delays. Where the key or parameters that are being checked have been obtained - from an untrusted source this may lead to a Denial of Service.

    -

    The function DH_check() performs various checks on DH parameters. One of those - checks confirms that the modulus ('p' parameter) is not too large. Trying to use - a very large modulus is slow and OpenSSL will not normally use a modulus which - is over 10,000 bits in length.

    -

    However the DH_check() function checks numerous aspects of the key or parameters - that have been supplied. Some of those checks use the supplied modulus value - even if it has already been found to be too large.

    -

    An application that calls DH_check() and supplies a key or parameters obtained - from an untrusted source could be vulernable to a Denial of Service attack.

    -

    The function DH_check() is itself called by a number of other OpenSSL functions. - An application calling any of those other functions may similarly be affected. - The other functions affected by this are DH_check_ex() and - EVP_PKEY_param_check().

    -

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications - when using the '-check' option.

    -

    The OpenSSL SSL/TLS implementation is not affected by this issue. - The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-3817

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    -

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() - or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long - delays. Where the key or parameters that are being checked have been obtained - from an untrusted source this may lead to a Denial of Service.

    -

    The function DH_check() performs various checks on DH parameters. After fixing - CVE-2023-3446 it was discovered that a large q parameter value can also trigger - an overly long computation during some of these checks. A correct q value, - if present, cannot be larger than the modulus p parameter, thus it is - unnecessary to perform these checks if q is larger than p.

    -

    An application that calls DH_check() and supplies a key or parameters obtained - from an untrusted source could be vulnerable to a Denial of Service attack.

    -

    The function DH_check() is itself called by a number of other OpenSSL functions. - An application calling any of those other functions may similarly be affected. - The other functions affected by this are DH_check_ex() and - EVP_PKEY_param_check().

    -

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications - when using the "-check" option.

    -

    The OpenSSL SSL/TLS implementation is not affected by this issue.

    -

    The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v2.7.10/argocd-iac-install.html b/docs/snyk/v2.7.11/argocd-iac-install.html similarity index 99% rename from docs/snyk/v2.7.10/argocd-iac-install.html rename to docs/snyk/v2.7.11/argocd-iac-install.html index 6bcd9025d71e9..fc3b8a5d16679 100644 --- a/docs/snyk/v2.7.10/argocd-iac-install.html +++ b/docs/snyk/v2.7.11/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:21:45 am (UTC+00:00)

    +

    August 13th 2023, 12:21:43 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.7.10/argocd-iac-namespace-install.html b/docs/snyk/v2.7.11/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v2.7.10/argocd-iac-namespace-install.html rename to docs/snyk/v2.7.11/argocd-iac-namespace-install.html index 1105c6962e60e..9a773e5e0ea93 100644 --- a/docs/snyk/v2.7.10/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.7.11/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:21:57 am (UTC+00:00)

    +

    August 13th 2023, 12:21:59 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.7.10/argocd-test.html b/docs/snyk/v2.7.11/argocd-test.html similarity index 99% rename from docs/snyk/v2.7.10/argocd-test.html rename to docs/snyk/v2.7.11/argocd-test.html index b434910c23e84..7174bc93fd654 100644 --- a/docs/snyk/v2.7.10/argocd-test.html +++ b/docs/snyk/v2.7.11/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:19:44 am (UTC+00:00)

    +

    August 13th 2023, 12:19:25 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.5.21/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.7.11/ghcr.io_dexidp_dex_v2.37.0.html similarity index 99% rename from docs/snyk/v2.5.21/ghcr.io_dexidp_dex_v2.37.0.html rename to docs/snyk/v2.7.11/ghcr.io_dexidp_dex_v2.37.0.html index 06a1a8ea17ae3..28383604de810 100644 --- a/docs/snyk/v2.5.21/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.7.11/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:24:44 am (UTC+00:00)

    +

    August 13th 2023, 12:19:36 am (UTC+00:00)

    Scanned the following paths: @@ -792,7 +792,7 @@

    References

    -

    Cross-site Scripting (XSS)

    +

    Excessive Iteration

    @@ -801,129 +801,6 @@

    Cross-site Scripting (XSS)

    -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/html -
      • - -
    • Introduced through: - - github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/dexidp/dex@* - - golang.org/x/net/html@v0.11.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    -

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    -

    Details

    -

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    -

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    -

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    -

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    -

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    -

    Types of attacks

    -

    There are a few methods by which XSS can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    -

    Affected environments

    -

    The following environments are susceptible to an XSS attack:

    -
      -
    • Web servers
      • -
    • Application servers
      • -
    • Web application environments
      • -
    -

    How to prevent

    -

    This section describes the top best practices designed to specifically protect your code:

    -
      -
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • -
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • -
    • Give users the option to disable client-side scripts.
      • -
    • Redirect invalid requests.
      • -
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • -
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • -
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-3817

    -
    - -
    - low severity -
    - -
    -
    • Package Manager: alpine:3.18 @@ -1071,6 +948,129 @@

      References

    +
    +

    Cross-site Scripting (XSS)

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    +

    Details

    +

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    +

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    +

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    +

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    +

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    +

    Types of attacks

    +

    There are a few methods by which XSS can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    +

    Affected environments

    +

    The following environments are susceptible to an XSS attack:

    +
      +
    • Web servers
      • +
    • Application servers
      • +
    • Web application environments
      • +
    +

    How to prevent

    +

    This section describes the top best practices designed to specifically protect your code:

    +
      +
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • +
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • +
    • Give users the option to disable client-side scripts.
      • +
    • Redirect invalid requests.
      • +
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • +
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • +
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • +
    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    diff --git a/docs/snyk/v2.7.11/haproxy_2.6.14-alpine.html b/docs/snyk/v2.7.11/haproxy_2.6.14-alpine.html new file mode 100644 index 0000000000000..48873a3503971 --- /dev/null +++ b/docs/snyk/v2.7.11/haproxy_2.6.14-alpine.html @@ -0,0 +1,492 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    August 13th 2023, 12:19:45 am (UTC+00:00)

    +
    +
    + Scanned the following path: +
      +
    • haproxy:2.6.14-alpine (apk)
      • +
    +
    + +
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    +
    18 dependencies
    +
    +
    +
    +
    +
    + + + + + + + +
    Project docker-image|haproxy
    Path haproxy:2.6.14-alpine
    Package Manager apk
    +
    +
    + No known vulnerabilities detected. +
    +
    + + + diff --git a/docs/snyk/v2.7.10/quay.io_argoproj_argocd_v2.7.10.html b/docs/snyk/v2.7.11/quay.io_argoproj_argocd_v2.7.11.html similarity index 87% rename from docs/snyk/v2.7.10/quay.io_argoproj_argocd_v2.7.10.html rename to docs/snyk/v2.7.11/quay.io_argoproj_argocd_v2.7.11.html index 9cb763260edec..f155da7317d4c 100644 --- a/docs/snyk/v2.7.10/quay.io_argoproj_argocd_v2.7.10.html +++ b/docs/snyk/v2.7.11/quay.io_argoproj_argocd_v2.7.11.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,18 +456,18 @@

    Snyk test report

    -

    August 6th 2023, 12:20:16 am (UTC+00:00)

    +

    August 13th 2023, 12:20:07 am (UTC+00:00)

    Scanned the following paths:
      -
    • quay.io/argoproj/argocd:v2.7.10/argoproj/argocd (deb)
    • quay.io/argoproj/argocd:v2.7.10/argoproj/argo-cd/v2 (gomodules)
    • quay.io/argoproj/argocd:v2.7.10/kustomize/kustomize/v5 (gomodules)
    • quay.io/argoproj/argocd:v2.7.10/helm/v3 (gomodules)
    • quay.io/argoproj/argocd:v2.7.10/git-lfs/git-lfs (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.7.11/argoproj/argocd (deb)
    • quay.io/argoproj/argocd:v2.7.11/argoproj/argo-cd/v2 (gomodules)
    • quay.io/argoproj/argocd:v2.7.11/kustomize/kustomize/v5 (gomodules)
    • quay.io/argoproj/argocd:v2.7.11/helm/v3 (gomodules)
    • quay.io/argoproj/argocd:v2.7.11/git-lfs/git-lfs (gomodules)
    -
    18 known vulnerabilities
    -
    75 vulnerable dependency paths
    +
    19 known vulnerabilities
    +
    86 vulnerable dependency paths
    2066 dependencies
    @@ -636,7 +636,7 @@

    References

    -

    CVE-2023-4016

    +

    Out-of-bounds Write

    @@ -657,7 +657,7 @@

    CVE-2023-4016

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and procps/libprocps8@2:3.3.17-6ubuntu2 + docker-image|quay.io/argoproj/argocd@v2.7.11 and procps/libprocps8@2:3.3.17-6ubuntu2
    • @@ -670,7 +670,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 procps/libprocps8@2:3.3.17-6ubuntu2 @@ -679,7 +679,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 procps@2:3.3.17-6ubuntu2 @@ -690,7 +690,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 procps@2:3.3.17-6ubuntu2 @@ -721,6 +721,228 @@

      References

      More about this vulnerability

    +
    +
    +

    CVE-2023-36054

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + krb5/libk5crypto3 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.7.11 and krb5/libk5crypto3@1.19.2-2ubuntu0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.11 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.11 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.11 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.11 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.11 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.11 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.11 + + openssh/openssh-client@1:8.9p1-3ubuntu0.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.11 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.11 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.11 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.11 + + meta-common-packages@meta + + krb5/libkrb5support0@1.19.2-2ubuntu0.2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu:22.04. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    CVE-2022-46908

    @@ -745,7 +967,7 @@

    CVE-2022-46908

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10, gnupg2/gpg@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.7.11, gnupg2/gpg@2.2.27-3ubuntu2.1 and others
    • @@ -757,7 +979,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -816,7 +1038,7 @@

      Arbitrary Code Injection

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and shadow/passwd@1:4.8.1-2ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.7.11 and shadow/passwd@1:4.8.1-2ubuntu2.1
    @@ -829,7 +1051,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -838,7 +1060,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 adduser@3.118ubuntu5 @@ -849,7 +1071,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 openssh/openssh-client@1:8.9p1-3ubuntu0.3 @@ -860,7 +1082,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 shadow/login@1:4.8.1-2ubuntu2.1 @@ -917,7 +1139,7 @@

      Uncontrolled Recursion

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 + docker-image|quay.io/argoproj/argocd@v2.7.11 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
    @@ -930,7 +1152,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 @@ -939,7 +1161,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 grep@3.7-1build1 @@ -1001,7 +1223,7 @@

      Release of Invalid Pointer or Reference

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.7.11 and patch@2.7.6-7build2
    @@ -1014,7 +1236,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 patch@2.7.6-7build2 @@ -1068,7 +1290,7 @@

      Double Free

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.7.11 and patch@2.7.6-7build2
    @@ -1081,7 +1303,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 patch@2.7.6-7build2 @@ -1140,7 +1362,7 @@

      Improper Authentication

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and openssl/libssl3@3.0.2-0ubuntu1.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 and openssl/libssl3@3.0.2-0ubuntu1.10
    @@ -1153,7 +1375,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 openssl/libssl3@3.0.2-0ubuntu1.10 @@ -1162,7 +1384,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 @@ -1173,7 +1395,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 libfido2/libfido2-1@1.10.0-1 @@ -1184,7 +1406,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 openssh/openssh-client@1:8.9p1-3ubuntu0.3 @@ -1195,7 +1417,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 ca-certificates@20230311ubuntu0.22.04.1 @@ -1208,7 +1430,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 git@1:2.34.1-1ubuntu1.9 @@ -1223,7 +1445,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 adduser@3.118ubuntu5 @@ -1246,7 +1468,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 openssl@3.0.2-0ubuntu1.10 @@ -1255,7 +1477,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 ca-certificates@20230311ubuntu0.22.04.1 @@ -1332,7 +1554,7 @@

      CVE-2023-28531

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and openssh/openssh-client@1:8.9p1-3ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.7.11 and openssh/openssh-client@1:8.9p1-3ubuntu0.3
    @@ -1345,7 +1567,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 openssh/openssh-client@1:8.9p1-3ubuntu0.3 @@ -1402,7 +1624,7 @@

      NULL Pointer Dereference

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.7.11, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others
    @@ -1414,7 +1636,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -1425,7 +1647,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 git@1:2.34.1-1ubuntu1.9 @@ -1438,7 +1660,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 openldap/libldap-common@2.5.15+dfsg-0ubuntu0.22.04.1 @@ -1501,7 +1723,7 @@

      Resource Exhaustion

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10, meta-common-packages@meta and others + docker-image|quay.io/argoproj/argocd@v2.7.11, meta-common-packages@meta and others
    @@ -1513,7 +1735,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 meta-common-packages@meta @@ -1570,7 +1792,7 @@

      Integer Overflow or Wraparound

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and krb5/libk5crypto3@1.19.2-2ubuntu0.2 + docker-image|quay.io/argoproj/argocd@v2.7.11 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
    @@ -1583,7 +1805,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 krb5/libk5crypto3@1.19.2-2ubuntu0.2 @@ -1592,7 +1814,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 adduser@3.118ubuntu5 @@ -1613,7 +1835,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 adduser@3.118ubuntu5 @@ -1636,7 +1858,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 krb5/libkrb5-3@1.19.2-2ubuntu0.2 @@ -1645,7 +1867,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 adduser@3.118ubuntu5 @@ -1666,7 +1888,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -1675,7 +1897,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 openssh/openssh-client@1:8.9p1-3ubuntu0.3 @@ -1686,7 +1908,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 git@1:2.34.1-1ubuntu1.9 @@ -1699,7 +1921,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 git@1:2.34.1-1ubuntu1.9 @@ -1714,7 +1936,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 adduser@3.118ubuntu5 @@ -1733,7 +1955,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 meta-common-packages@meta @@ -1792,7 +2014,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and gnupg2/gpgv@2.2.27-3ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.7.11 and gnupg2/gpgv@2.2.27-3ubuntu2.1
    @@ -1805,7 +2027,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -1814,7 +2036,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 apt@2.4.9 @@ -1825,7 +2047,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1836,7 +2058,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -1847,7 +2069,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -1858,7 +2080,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1871,7 +2093,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1884,7 +2106,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -1893,7 +2115,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1904,7 +2126,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1917,7 +2139,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 @@ -1926,7 +2148,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1937,7 +2159,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 @@ -1946,7 +2168,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1957,7 +2179,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -1966,7 +2188,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1977,7 +2199,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1990,7 +2212,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2003,7 +2225,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 @@ -2012,7 +2234,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2023,7 +2245,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2036,7 +2258,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2049,7 +2271,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 @@ -2058,7 +2280,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2069,7 +2291,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 @@ -2078,7 +2300,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2089,7 +2311,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gpgsm@2.2.27-3ubuntu2.1 @@ -2098,7 +2320,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2109,7 +2331,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2168,7 +2390,7 @@

      Allocation of Resources Without Limits or Throttling

      Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and glibc/libc-bin@2.35-0ubuntu3.1 + docker-image|quay.io/argoproj/argocd@v2.7.11 and glibc/libc-bin@2.35-0ubuntu3.1
    @@ -2181,7 +2403,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 glibc/libc-bin@2.35-0ubuntu3.1 @@ -2190,7 +2412,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 meta-common-packages@meta @@ -2249,7 +2471,7 @@

      Improper Input Validation

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10, git@1:2.34.1-1ubuntu1.9 and others + docker-image|quay.io/argoproj/argocd@v2.7.11, git@1:2.34.1-1ubuntu1.9 and others
    @@ -2261,7 +2483,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 git@1:2.34.1-1ubuntu1.9 @@ -2272,7 +2494,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 git@1:2.34.1-1ubuntu1.9 @@ -2281,7 +2503,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 git-lfs@3.0.2-1ubuntu0.2 @@ -2338,7 +2560,7 @@

      Improper Input Validation

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and coreutils@8.32-4.1ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.7.11 and coreutils@8.32-4.1ubuntu1
    @@ -2351,7 +2573,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 coreutils@8.32-4.1ubuntu1 @@ -2408,7 +2630,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 and bash@5.1-6ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.7.11 and bash@5.1-6ubuntu1
    @@ -2421,7 +2643,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.10 + docker-image|quay.io/argoproj/argocd@v2.7.11 bash@5.1-6ubuntu1 diff --git a/docs/snyk/v2.6.13/redis_7.0.11-alpine.html b/docs/snyk/v2.7.11/redis_7.0.11-alpine.html similarity index 99% rename from docs/snyk/v2.6.13/redis_7.0.11-alpine.html rename to docs/snyk/v2.7.11/redis_7.0.11-alpine.html index 7b140ab6e6550..d667d6ed816db 100644 --- a/docs/snyk/v2.6.13/redis_7.0.11-alpine.html +++ b/docs/snyk/v2.7.11/redis_7.0.11-alpine.html @@ -456,7 +456,7 @@

      Snyk test report

      -

      August 6th 2023, 12:22:51 am (UTC+00:00)

      +

      August 13th 2023, 12:20:17 am (UTC+00:00)

      Scanned the following path: @@ -844,12 +844,12 @@

      References

    -
    -

    CVE-2023-3817

    +
    +

    Excessive Iteration

    -
    - low severity +
    + medium severity
    diff --git a/docs/snyk/v2.8.0-rc7/argocd-iac-install.html b/docs/snyk/v2.8.0-rc7/argocd-iac-install.html index cfa514f9791ce..15df1e7e70c21 100644 --- a/docs/snyk/v2.8.0-rc7/argocd-iac-install.html +++ b/docs/snyk/v2.8.0-rc7/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:19:11 am (UTC+00:00)

    +

    August 13th 2023, 12:18:53 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.8.0-rc7/argocd-iac-namespace-install.html b/docs/snyk/v2.8.0-rc7/argocd-iac-namespace-install.html index fb3d83fdb0688..48793bb6c3e54 100644 --- a/docs/snyk/v2.8.0-rc7/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.8.0-rc7/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:19:22 am (UTC+00:00)

    +

    August 13th 2023, 12:19:05 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.8.0-rc7/argocd-test.html b/docs/snyk/v2.8.0-rc7/argocd-test.html index 2f25d5827e745..0f8c20b574591 100644 --- a/docs/snyk/v2.8.0-rc7/argocd-test.html +++ b/docs/snyk/v2.8.0-rc7/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:17:00 am (UTC+00:00)

    +

    August 13th 2023, 12:16:34 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.8.0-rc7/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.8.0-rc7/ghcr.io_dexidp_dex_v2.37.0.html index 918845d798a4f..084d7911d5698 100644 --- a/docs/snyk/v2.8.0-rc7/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.8.0-rc7/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:17:09 am (UTC+00:00)

    +

    August 13th 2023, 12:16:41 am (UTC+00:00)

    Scanned the following paths: @@ -792,7 +792,7 @@

    References

    -

    Cross-site Scripting (XSS)

    +

    Excessive Iteration

    @@ -801,129 +801,6 @@

    Cross-site Scripting (XSS)

    -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/html -
      • - -
    • Introduced through: - - github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/dexidp/dex@* - - golang.org/x/net/html@v0.11.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    -

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    -

    Details

    -

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    -

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    -

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    -

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    -

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    -

    Types of attacks

    -

    There are a few methods by which XSS can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    -

    Affected environments

    -

    The following environments are susceptible to an XSS attack:

    -
      -
    • Web servers
      • -
    • Application servers
      • -
    • Web application environments
      • -
    -

    How to prevent

    -

    This section describes the top best practices designed to specifically protect your code:

    -
      -
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • -
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • -
    • Give users the option to disable client-side scripts.
      • -
    • Redirect invalid requests.
      • -
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • -
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • -
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-3817

    -
    - -
    - low severity -
    - -
    -
    • Package Manager: alpine:3.18 @@ -1071,6 +948,129 @@

      References

    +
    +

    Cross-site Scripting (XSS)

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    +

    Details

    +

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    +

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    +

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    +

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    +

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    +

    Types of attacks

    +

    There are a few methods by which XSS can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    +

    Affected environments

    +

    The following environments are susceptible to an XSS attack:

    +
      +
    • Web servers
      • +
    • Application servers
      • +
    • Web application environments
      • +
    +

    How to prevent

    +

    This section describes the top best practices designed to specifically protect your code:

    +
      +
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • +
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • +
    • Give users the option to disable client-side scripts.
      • +
    • Redirect invalid requests.
      • +
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • +
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • +
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • +
    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    diff --git a/docs/snyk/v2.8.0-rc7/haproxy_2.6.14-alpine.html b/docs/snyk/v2.8.0-rc7/haproxy_2.6.14-alpine.html index 4afb600937e5f..16cd038ee44b3 100644 --- a/docs/snyk/v2.8.0-rc7/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.8.0-rc7/haproxy_2.6.14-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:17:14 am (UTC+00:00)

    +

    August 13th 2023, 12:16:45 am (UTC+00:00)

    Scanned the following path: @@ -466,8 +466,8 @@

    Snyk test report

    -
    3 known vulnerabilities
    -
    27 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    18 dependencies
    @@ -484,546 +484,7 @@

    Snyk test report

    -
    -
    -

    Improper Authentication

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: The AES-SIV cipher implementation contains a bug that causes - it to ignore empty associated data entries which are unauthenticated as - a consequence.

    -

    Impact summary: Applications that use the AES-SIV algorithm and want to - authenticate empty data entries as associated data can be mislead by removing - adding or reordering such empty entries as these are ignored by the OpenSSL - implementation. We are currently unaware of any such applications.

    -

    The AES-SIV algorithm allows for authentication of multiple associated - data entries along with the encryption. To authenticate empty data the - application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with - NULL pointer as the output buffer and 0 as the input buffer length. - The AES-SIV implementation in OpenSSL just returns success for such a call - instead of performing the associated data authentication operation. - The empty data thus will not be authenticated.

    -

    As this issue does not affect non-empty associated data authentication and - we expect it to be rare for an application to use empty associated data - entries this is qualified as Low severity issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Inefficient Regular Expression Complexity

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    -

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() - or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long - delays. Where the key or parameters that are being checked have been obtained - from an untrusted source this may lead to a Denial of Service.

    -

    The function DH_check() performs various checks on DH parameters. One of those - checks confirms that the modulus ('p' parameter) is not too large. Trying to use - a very large modulus is slow and OpenSSL will not normally use a modulus which - is over 10,000 bits in length.

    -

    However the DH_check() function checks numerous aspects of the key or parameters - that have been supplied. Some of those checks use the supplied modulus value - even if it has already been found to be too large.

    -

    An application that calls DH_check() and supplies a key or parameters obtained - from an untrusted source could be vulernable to a Denial of Service attack.

    -

    The function DH_check() is itself called by a number of other OpenSSL functions. - An application calling any of those other functions may similarly be affected. - The other functions affected by this are DH_check_ex() and - EVP_PKEY_param_check().

    -

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications - when using the '-check' option.

    -

    The OpenSSL SSL/TLS implementation is not affected by this issue. - The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-3817

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: alpine:3.18 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - openssl/libcrypto3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - .haproxy-rundeps@20230615.052124 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - apk-tools/apk-tools@2.14.0-r2 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    • - Introduced through: - docker-image|haproxy@2.6.14-alpine - - busybox/ssl_client@1.36.1-r0 - - openssl/libssl3@3.1.1-r1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. - See How to fix? for Alpine:3.18 relevant fixed versions and status.

    -

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    -

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() - or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long - delays. Where the key or parameters that are being checked have been obtained - from an untrusted source this may lead to a Denial of Service.

    -

    The function DH_check() performs various checks on DH parameters. After fixing - CVE-2023-3446 it was discovered that a large q parameter value can also trigger - an overly long computation during some of these checks. A correct q value, - if present, cannot be larger than the modulus p parameter, thus it is - unnecessary to perform these checks if q is larger than p.

    -

    An application that calls DH_check() and supplies a key or parameters obtained - from an untrusted source could be vulnerable to a Denial of Service attack.

    -

    The function DH_check() is itself called by a number of other OpenSSL functions. - An application calling any of those other functions may similarly be affected. - The other functions affected by this are DH_check_ex() and - EVP_PKEY_param_check().

    -

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications - when using the "-check" option.

    -

    The OpenSSL SSL/TLS implementation is not affected by this issue.

    -

    The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/docs/snyk/v2.8.0-rc7/quay.io_argoproj_argocd_v2.8.0-rc7.html b/docs/snyk/v2.8.0-rc7/quay.io_argoproj_argocd_v2.8.0-rc7.html index 2419cd08f7c0a..4e00c0a021d27 100644 --- a/docs/snyk/v2.8.0-rc7/quay.io_argoproj_argocd_v2.8.0-rc7.html +++ b/docs/snyk/v2.8.0-rc7/quay.io_argoproj_argocd_v2.8.0-rc7.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:17:35 am (UTC+00:00)

    +

    August 13th 2023, 12:17:14 am (UTC+00:00)

    Scanned the following paths: @@ -466,8 +466,8 @@

    Snyk test report

    -
    17 known vulnerabilities
    -
    74 vulnerable dependency paths
    +
    18 known vulnerabilities
    +
    85 vulnerable dependency paths
    2117 dependencies
    @@ -557,7 +557,7 @@

    References

    -

    CVE-2023-4016

    +

    Out-of-bounds Write

    @@ -642,6 +642,228 @@

    References

    More about this vulnerability

    +
    +
    +

    CVE-2023-36054

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + krb5/libk5crypto3 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and krb5/libk5crypto3@1.19.2-2ubuntu0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + krb5/libk5crypto3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + openssh/openssh-client@1:8.9p1-3ubuntu0.3 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + meta-common-packages@meta + + krb5/libkrb5support0@1.19.2-2ubuntu0.2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu:22.04. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 krb5.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    CVE-2022-46908

    diff --git a/docs/snyk/v2.8.0-rc7/redis_7.0.11-alpine.html b/docs/snyk/v2.8.0-rc7/redis_7.0.11-alpine.html index 609f13a881840..1293d04e5adf8 100644 --- a/docs/snyk/v2.8.0-rc7/redis_7.0.11-alpine.html +++ b/docs/snyk/v2.8.0-rc7/redis_7.0.11-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    August 6th 2023, 12:17:39 am (UTC+00:00)

    +

    August 13th 2023, 12:17:20 am (UTC+00:00)

    Scanned the following path: @@ -844,12 +844,12 @@

    References

    -
    -

    CVE-2023-3817

    +
    +

    Excessive Iteration

    -
    - low severity +
    + medium severity