Docker buildpack-deps:18.10-curl

Vulnerabilities

 27 via 53 paths

Dependencies

 134

Source

 Group 6 Copy Created with Sketch. Docker

Target OS

 ubuntu:18.10
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 5
  • 22
Status
  • 27
  • 0
  • 0

medium severity

Improper Input Validation

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc6@2.28-0ubuntu1

Overview

In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.

References

Improper Input Validation vulnerability report

medium severity

Reachable Assertion

  • Vulnerable module: krb5/libgssapi-krb5-2
  • Introduced through: krb5/libgssapi-krb5-2@1.16-2ubuntu1.1, krb5/libk5crypto3@1.16-2ubuntu1.1 and others

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* krb5/libgssapi-krb5-2@1.16-2ubuntu1.1
  • Introduced through: buildpack-deps:18.10-curl@* krb5/libk5crypto3@1.16-2ubuntu1.1
  • Introduced through: buildpack-deps:18.10-curl@* krb5/libkrb5-3@1.16-2ubuntu1.1
  • Introduced through: buildpack-deps:18.10-curl@* krb5/libkrb5support0@1.16-2ubuntu1.1

Overview

A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

References

Reachable Assertion vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: nghttp2/libnghttp2-14
  • Introduced through: nghttp2/libnghttp2-14@1.32.1-1build1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* nghttp2/libnghttp2-14@1.32.1-1build1

Overview

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: nghttp2/libnghttp2-14
  • Introduced through: nghttp2/libnghttp2-14@1.32.1-1build1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* nghttp2/libnghttp2-14@1.32.1-1build1

Overview

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

References

Resource Exhaustion vulnerability report

medium severity

Information Exposure

  • Vulnerable module: systemd/libsystemd0
  • Introduced through: systemd/libsystemd0@239-7ubuntu10.14 and systemd/libudev1@239-7ubuntu10.14

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* systemd/libsystemd0@239-7ubuntu10.14
  • Introduced through: buildpack-deps:18.10-curl@* systemd/libudev1@239-7ubuntu10.14

Overview

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

References

Information Exposure vulnerability report

low severity

Improper Input Validation

  • Vulnerable module: coreutils
  • Introduced through: coreutils@8.28-1ubuntu2

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* coreutils@8.28-1ubuntu2

Overview

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

References

Improper Input Validation vulnerability report

low severity

Directory Traversal

  • Vulnerable module: dpkg
  • Introduced through: dpkg@1.19.0.5ubuntu5

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* dpkg@1.19.0.5ubuntu5

Overview

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.

References

Directory Traversal vulnerability report

low severity

Improper Input Validation

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc6@2.28-0ubuntu1

Overview

The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

References

Improper Input Validation vulnerability report

low severity

Improper Input Validation

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc6@2.28-0ubuntu1

Overview

In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.

References

Improper Input Validation vulnerability report

low severity

Out-of-Bounds

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc6@2.28-0ubuntu1

Overview

In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.

References

Out-of-Bounds vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc6@2.28-0ubuntu1

Overview

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

References

Out-of-bounds Read vulnerability report

low severity

Uncontrolled Recursion

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc6@2.28-0ubuntu1

Overview

** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.

References

Uncontrolled Recursion vulnerability report

low severity

Uncontrolled Recursion

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-curl@* glibc/libc6@2.28-0ubuntu1

Overview

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

References

Uncontrolled Recursion vulnerability report

low severity

Information Exposure

  • Vulnerable module: gnutls28/libgnutls30
  • Introduced through: gnutls28/libgnutls30@3.6.4-2ubuntu1.2

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* gnutls28/libgnutls30@3.6.4-2ubuntu1.2

Overview

A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.

References

Information Exposure vulnerability report

low severity

Key Management Errors

  • Vulnerable module: heimdal/libasn1-8-heimdal
  • Introduced through: heimdal/libasn1-8-heimdal@7.5.0+dfsg-2, heimdal/libgssapi3-heimdal@7.5.0+dfsg-2 and others

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* heimdal/libasn1-8-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-curl@* heimdal/libgssapi3-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-curl@* heimdal/libhcrypto4-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-curl@* heimdal/libheimbase1-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-curl@* heimdal/libheimntlm0-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-curl@* heimdal/libhx509-5-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-curl@* heimdal/libkrb5-26-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-curl@* heimdal/libroken18-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-curl@* heimdal/libwind0-heimdal@7.5.0+dfsg-2

Overview

In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.

References

Key Management Errors vulnerability report

low severity

Resource Management Errors

  • Vulnerable module: libtasn1-6
  • Introduced through: libtasn1-6@4.13-3

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* libtasn1-6@4.13-3

Overview

GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.

References

Resource Management Errors vulnerability report

low severity

Information Exposure

  • Vulnerable module: nettle/libhogweed4
  • Introduced through: nettle/libhogweed4@3.4-1 and nettle/libnettle6@3.4-1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* nettle/libhogweed4@3.4-1
  • Introduced through: buildpack-deps:18.10-curl@* nettle/libnettle6@3.4-1

Overview

A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.

References

Information Exposure vulnerability report

low severity

Improper Initialization

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.46+dfsg-5ubuntu1.2 and openldap/libldap-common@2.4.46+dfsg-5ubuntu1.2

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* openldap/libldap-2.4-2@2.4.46+dfsg-5ubuntu1.2
  • Introduced through: buildpack-deps:18.10-curl@* openldap/libldap-common@2.4.46+dfsg-5ubuntu1.2

Overview

slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript.

References

Improper Initialization vulnerability report

low severity

Cryptographic Issues

  • Vulnerable module: openssl
  • Introduced through: openssl@1.1.1-1ubuntu2.2 and openssl/libssl1.1@1.1.1-1ubuntu2.2

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* openssl@1.1.1-1ubuntu2.2
  • Introduced through: buildpack-deps:18.10-curl@* openssl/libssl1.1@1.1.1-1ubuntu2.2

Overview

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).

References

Cryptographic Issues vulnerability report

low severity

Out-of-Bounds

  • Vulnerable module: pcre3/libpcre3
  • Introduced through: pcre3/libpcre3@2:8.39-12~18.10

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* pcre3/libpcre3@2:8.39-12~18.10

Overview

Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.

References

Out-of-Bounds vulnerability report

low severity

Out-of-Bounds

  • Vulnerable module: pcre3/libpcre3
  • Introduced through: pcre3/libpcre3@2:8.39-12~18.10

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* pcre3/libpcre3@2:8.39-12~18.10

Overview

Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.

References

Out-of-Bounds vulnerability report

low severity

Incorrect Permission Assignment for Critical Resource

  • Vulnerable module: shadow/login
  • Introduced through: shadow/login@1:4.5-1ubuntu1 and shadow/passwd@1:4.5-1ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* shadow/login@1:4.5-1ubuntu1
  • Introduced through: buildpack-deps:18.10-curl@* shadow/passwd@1:4.5-1ubuntu1

Overview

An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.

References

Incorrect Permission Assignment for Critical Resource vulnerability report

low severity

Time-of-check Time-of-use (TOCTOU)

  • Vulnerable module: shadow/login
  • Introduced through: shadow/login@1:4.5-1ubuntu1 and shadow/passwd@1:4.5-1ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* shadow/login@1:4.5-1ubuntu1
  • Introduced through: buildpack-deps:18.10-curl@* shadow/passwd@1:4.5-1ubuntu1

Overview

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

low severity

Out-of-bounds Write

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.24.0-1ubuntu0.1

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* sqlite3/libsqlite3-0@3.24.0-1ubuntu0.1

Overview

Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

References

Out-of-bounds Write vulnerability report

low severity

Incorrect Privilege Assignment

  • Vulnerable module: systemd/libsystemd0
  • Introduced through: systemd/libsystemd0@239-7ubuntu10.14 and systemd/libudev1@239-7ubuntu10.14

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* systemd/libsystemd0@239-7ubuntu10.14
  • Introduced through: buildpack-deps:18.10-curl@* systemd/libudev1@239-7ubuntu10.14

Overview

It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.

References

Incorrect Privilege Assignment vulnerability report

low severity

Privilege Chaining

  • Vulnerable module: systemd/libsystemd0
  • Introduced through: systemd/libsystemd0@239-7ubuntu10.14 and systemd/libudev1@239-7ubuntu10.14

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* systemd/libsystemd0@239-7ubuntu10.14
  • Introduced through: buildpack-deps:18.10-curl@* systemd/libudev1@239-7ubuntu10.14

Overview

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.

References

Privilege Chaining vulnerability report

low severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: tar
  • Introduced through: tar@1.30+dfsg-2

Detailed paths

  • Introduced through: buildpack-deps:18.10-curl@* tar@1.30+dfsg-2

Overview

GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report