Vulnerabilities

 10 via 10 paths

Dependencies

 114

Source

 Group 6 Copy Created with Sketch. Docker

Target OS

 amzn:2
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 6
  • 4
Status
  • 10
  • 0
  • 0

high severity
new

Out-of-bounds Write

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-63.amzn2.0.1
  • Fixed in: 0:2.26-64.amzn2.0.1

Detailed paths

  • Introduced through: amazoncorretto@11-al2-jdk glibc@2.26-63.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Amazon-Linux:2 glibc to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521.

References

Out-of-bounds Write vulnerability report

high severity
new

Out-of-bounds Write

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-63.amzn2.0.1
  • Fixed in: 0:2.26-64.amzn2.0.1

Detailed paths

  • Introduced through: amazoncorretto@11-al2-jdk glibc-common@2.26-63.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-common package and not the glibc-common package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Amazon-Linux:2 glibc-common to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521.

References

Out-of-bounds Write vulnerability report

high severity
new

Out-of-bounds Write

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-63.amzn2.0.1
  • Fixed in: 0:2.26-64.amzn2.0.1

Detailed paths

  • Introduced through: amazoncorretto@11-al2-jdk glibc-langpack-en@2.26-63.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-langpack-en package and not the glibc-langpack-en package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Amazon-Linux:2 glibc-langpack-en to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521.

References

Out-of-bounds Write vulnerability report

high severity
new

Out-of-bounds Write

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-63.amzn2.0.1
  • Fixed in: 0:2.26-64.amzn2.0.1

Detailed paths

  • Introduced through: amazoncorretto@11-al2-jdk glibc-minimal-langpack@2.26-63.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-minimal-langpack package and not the glibc-minimal-langpack package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Amazon-Linux:2 glibc-minimal-langpack to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521.

References

Out-of-bounds Write vulnerability report

high severity
new

Out-of-bounds Write

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-63.amzn2.0.1
  • Fixed in: 0:2.26-64.amzn2.0.1

Detailed paths

  • Introduced through: amazoncorretto@11-al2-jdk libcrypt@2.26-63.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcrypt package and not the libcrypt package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Amazon-Linux:2 libcrypt to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521.

References

Out-of-bounds Write vulnerability report

high severity
new

Detection of Error Condition Without Action

  • Vulnerable module: libnghttp2
  • Introduced through: libnghttp2@1.41.0-1.amzn2.0.4
  • Fixed in: 0:1.41.0-1.amzn2.0.5

Detailed paths

  • Introduced through: amazoncorretto@11-al2-jdk libnghttp2@1.41.0-1.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream libnghttp2 package and not the libnghttp2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 libnghttp2 to version 0:1.41.0-1.amzn2.0.5 or higher.
This issue was patched in ALAS2-2024-2523.

References

Detection of Error Condition Without Action vulnerability report

medium severity
new

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: curl
  • Introduced through: curl@8.3.0-1.amzn2.0.6
  • Fixed in: 0:8.3.0-1.amzn2.0.7

Detailed paths

  • Introduced through: amazoncorretto@11-al2-jdk curl@8.3.0-1.amzn2.0.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526.

References

Missing Release of Resource after Effective Lifetime vulnerability report

medium severity
new

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: libcurl
  • Introduced through: libcurl@8.3.0-1.amzn2.0.6
  • Fixed in: 0:8.3.0-1.amzn2.0.7

Detailed paths

  • Introduced through: amazoncorretto@11-al2-jdk libcurl@8.3.0-1.amzn2.0.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526.

References

Missing Release of Resource after Effective Lifetime vulnerability report

medium severity
new

Misinterpretation of Input

  • Vulnerable module: curl
  • Introduced through: curl@8.3.0-1.amzn2.0.6
  • Fixed in: 0:8.3.0-1.amzn2.0.7

Detailed paths

  • Introduced through: amazoncorretto@11-al2-jdk curl@8.3.0-1.amzn2.0.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526.

References

Misinterpretation of Input vulnerability report

medium severity
new

Misinterpretation of Input

  • Vulnerable module: libcurl
  • Introduced through: libcurl@8.3.0-1.amzn2.0.6
  • Fixed in: 0:8.3.0-1.amzn2.0.7

Detailed paths

  • Introduced through: amazoncorretto@11-al2-jdk libcurl@8.3.0-1.amzn2.0.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526.

References

Misinterpretation of Input vulnerability report