Vulnerability report for Docker buildpack-deps:21.04

Vulnerabilities	60 via 291 paths
Dependencies	425
Source	Docker
Target OS	ubuntu:21.04

Test your Docker Hub image against our market leading vulnerability database Sign up for free

Severity

Critical
High
Medium
14
Low
46

Status

Open
60
Patched
0
Ignored
0

medium severity

Buffer Overflow

Vulnerable module: aom/libaom0
Introduced through: aom/libaom0@1.0.0.errata1-3build1

Detailed paths

Introduced through: buildpack-deps@21.04 › aom/libaom0@1.0.0.errata1-3build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream aom package and not the aom package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h.

Remediation

There is no fixed version for Ubuntu:21.04 aom.

References

Buffer Overflow vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: aom/libaom0
Introduced through: aom/libaom0@1.0.0.errata1-3build1

Detailed paths

Introduced through: buildpack-deps@21.04 › aom/libaom0@1.0.0.errata1-3build1

NVD Description

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c.

Remediation

There is no fixed version for Ubuntu:21.04 aom.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: aom/libaom0
Introduced through: aom/libaom0@1.0.0.errata1-3build1

Detailed paths

Introduced through: buildpack-deps@21.04 › aom/libaom0@1.0.0.errata1-3build1

NVD Description

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c.

Remediation

There is no fixed version for Ubuntu:21.04 aom.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: gdk-pixbuf/gir1.2-gdkpixbuf-2.0
Introduced through: gdk-pixbuf/gir1.2-gdkpixbuf-2.0@2.42.2+dfsg-1build1, gdk-pixbuf/libgdk-pixbuf-2.0-0@2.42.2+dfsg-1build1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › gdk-pixbuf/gir1.2-gdkpixbuf-2.0@2.42.2+dfsg-1build1
Introduced through: buildpack-deps@21.04 › gdk-pixbuf/libgdk-pixbuf-2.0-0@2.42.2+dfsg-1build1
Introduced through: buildpack-deps@21.04 › gdk-pixbuf/libgdk-pixbuf-2.0-dev@2.42.2+dfsg-1build1
Introduced through: buildpack-deps@21.04 › gdk-pixbuf/libgdk-pixbuf2.0-bin@2.42.2+dfsg-1build1
Introduced through: buildpack-deps@21.04 › gdk-pixbuf/libgdk-pixbuf2.0-common@2.42.2+dfsg-1build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream gdk-pixbuf package and not the gdk-pixbuf package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.

Remediation

There is no fixed version for Ubuntu:21.04 gdk-pixbuf.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: sqlite3/libsqlite3-0
Introduced through: sqlite3/libsqlite3-0@3.34.1-3 and sqlite3/libsqlite3-dev@3.34.1-3

Detailed paths

Introduced through: buildpack-deps@21.04 › sqlite3/libsqlite3-0@3.34.1-3
Introduced through: buildpack-deps@21.04 › sqlite3/libsqlite3-dev@3.34.1-3

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. A malicious application may cause a denial of service or potentially disclose memory contents.

Remediation

There is no fixed version for Ubuntu:21.04 sqlite3.

References

Out-of-bounds Read vulnerability report

medium severity

Improper Verification of Cryptographic Signature

Vulnerable module: perl
Introduced through: perl@5.32.1-3ubuntu2.1, perl/libperl5.32@5.32.1-3ubuntu2.1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › perl@5.32.1-3ubuntu2.1
Introduced through: buildpack-deps@21.04 › perl/libperl5.32@5.32.1-3ubuntu2.1
Introduced through: buildpack-deps@21.04 › perl/perl-base@5.32.1-3ubuntu2.1
Introduced through: buildpack-deps@21.04 › perl/perl-modules-5.32@5.32.1-3ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

CPAN 2.28 allows Signature Verification Bypass.

Remediation

There is no fixed version for Ubuntu:21.04 perl.

References

Improper Verification of Cryptographic Signature vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.33-0ubuntu5, glibc/libc-dev-bin@2.33-0ubuntu5 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › glibc/libc-bin@2.33-0ubuntu5
Introduced through: buildpack-deps@21.04 › glibc/libc-dev-bin@2.33-0ubuntu5
Introduced through: buildpack-deps@21.04 › glibc/libc6@2.33-0ubuntu5
Introduced through: buildpack-deps@21.04 › glibc/libc6-dev@2.33-0ubuntu5

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.

Remediation

There is no fixed version for Ubuntu:21.04 glibc.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: krb5/krb5-locales
Introduced through: krb5/krb5-locales@1.18.3-4, krb5/krb5-multidev@1.18.3-4 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › krb5/krb5-locales@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/krb5-multidev@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libgssapi-krb5-2@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libgssrpc4@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libk5crypto3@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkadm5clnt-mit12@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkadm5srv-mit12@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkdb5-10@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkrb5-3@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkrb5-dev@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkrb5support0@1.18.3-4

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.

Remediation

There is no fixed version for Ubuntu:21.04 krb5.

References

NULL Pointer Dereference vulnerability report

medium severity

Access of Uninitialized Pointer

Vulnerable module: subversion
Introduced through: subversion@1.14.1-3 and subversion/libsvn1@1.14.1-3

Detailed paths

Introduced through: buildpack-deps@21.04 › subversion@1.14.1-3
Introduced through: buildpack-deps@21.04 › subversion/libsvn1@1.14.1-3

NVD Description

Note: Versions mentioned in the description apply only to the upstream subversion package and not the subversion package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation.

Remediation

There is no fixed version for Ubuntu:21.04 subversion.

References

Access of Uninitialized Pointer vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: aom/libaom0
Introduced through: aom/libaom0@1.0.0.errata1-3build1

Detailed paths

Introduced through: buildpack-deps@21.04 › aom/libaom0@1.0.0.errata1-3build1

NVD Description

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component rate_hist.c.

Remediation

There is no fixed version for Ubuntu:21.04 aom.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: aom/libaom0
Introduced through: aom/libaom0@1.0.0.errata1-3build1

Detailed paths

Introduced through: buildpack-deps@21.04 › aom/libaom0@1.0.0.errata1-3build1

NVD Description

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c.

Remediation

There is no fixed version for Ubuntu:21.04 aom.

References

NULL Pointer Dereference vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1ubuntu1, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › imagemagick@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1ubuntu1

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

In WriteOnePNGImage() of the PNG coder at coders/png.c, an improper call to AcquireVirtualMemory() and memset() allows for an out-of-bounds write later when PopShortPixel() from MagickCore/quantum-private.h is called. The patch fixes the calls by adding 256 to rowbytes. An attacker who is able to supply a specially crafted image could affect availability with a low impact to data integrity. This flaw affects ImageMagick versions prior to 6.9.10-68 and 7.0.8-68.

Remediation

There is no fixed version for Ubuntu:21.04 imagemagick.

References

Out-of-bounds Write vulnerability report

medium severity

Open Redirect

Vulnerable module: wget
Introduced through: wget@1.21-1ubuntu3

Detailed paths

Introduced through: buildpack-deps@21.04 › wget@1.21-1ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:21.04 wget.

References

Open Redirect vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: openexr/libopenexr-dev
Introduced through: openexr/libopenexr-dev@2.5.4-1 and openexr/libopenexr25@2.5.4-1

Detailed paths

Introduced through: buildpack-deps@21.04 › openexr/libopenexr-dev@2.5.4-1
Introduced through: buildpack-deps@21.04 › openexr/libopenexr25@2.5.4-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openexr package and not the openexr package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.

Remediation

There is no fixed version for Ubuntu:21.04 openexr.

References

Out-of-bounds Read vulnerability report

low severity

Use After Free

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.33-0ubuntu5, glibc/libc-dev-bin@2.33-0ubuntu5 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › glibc/libc-bin@2.33-0ubuntu5
Introduced through: buildpack-deps@21.04 › glibc/libc-dev-bin@2.33-0ubuntu5
Introduced through: buildpack-deps@21.04 › glibc/libc6@2.33-0ubuntu5
Introduced through: buildpack-deps@21.04 › glibc/libc6-dev@2.33-0ubuntu5

NVD Description

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

Remediation

There is no fixed version for Ubuntu:21.04 glibc.

References

Use After Free vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.33-0ubuntu5, glibc/libc-dev-bin@2.33-0ubuntu5 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › glibc/libc-bin@2.33-0ubuntu5
Introduced through: buildpack-deps@21.04 › glibc/libc-dev-bin@2.33-0ubuntu5
Introduced through: buildpack-deps@21.04 › glibc/libc6@2.33-0ubuntu5
Introduced through: buildpack-deps@21.04 › glibc/libc6-dev@2.33-0ubuntu5

NVD Description

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.

Remediation

There is no fixed version for Ubuntu:21.04 glibc.

References

Integer Overflow or Wraparound vulnerability report

low severity

Improper Input Validation

Vulnerable module: git
Introduced through: git@1:2.30.2-1ubuntu1 and git/git-man@1:2.30.2-1ubuntu1

Detailed paths

Introduced through: buildpack-deps@21.04 › git@1:2.30.2-1ubuntu1
Introduced through: buildpack-deps@21.04 › git/git-man@1:2.30.2-1ubuntu1

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).

Remediation

There is no fixed version for Ubuntu:21.04 git.

References

Improper Input Validation vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: openexr/libopenexr-dev
Introduced through: openexr/libopenexr-dev@2.5.4-1 and openexr/libopenexr25@2.5.4-1

Detailed paths

Introduced through: buildpack-deps@21.04 › openexr/libopenexr-dev@2.5.4-1
Introduced through: buildpack-deps@21.04 › openexr/libopenexr25@2.5.4-1

NVD Description

A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR.

Remediation

There is no fixed version for Ubuntu:21.04 openexr.

References

Out-of-bounds Write vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.3.1-1ubuntu5 and openjpeg2/libopenjp2-7-dev@2.3.1-1ubuntu5

Detailed paths

Introduced through: buildpack-deps@21.04 › openjpeg2/libopenjp2-7@2.3.1-1ubuntu5
Introduced through: buildpack-deps@21.04 › openjpeg2/libopenjp2-7-dev@2.3.1-1ubuntu5

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjpeg2 package and not the openjpeg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.

Remediation

There is no fixed version for Ubuntu:21.04 openjpeg2.

References

Out-of-bounds Write vulnerability report

low severity

Link Following

Vulnerable module: xorg/x11-common
Introduced through: xorg/x11-common@1:7.7+22ubuntu1

Detailed paths

Introduced through: buildpack-deps@21.04 › xorg/x11-common@1:7.7+22ubuntu1

NVD Description

Note: Versions mentioned in the description apply only to the upstream xorg package and not the xorg package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation.

Remediation

There is no fixed version for Ubuntu:21.04 xorg.

References

Link Following vulnerability report

low severity

Missing Release of Resource after Effective Lifetime

Vulnerable module: binutils
Introduced through: binutils@2.36.1-6ubuntu1, binutils/binutils-common@2.36.1-6ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › binutils@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/binutils-common@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/binutils-x86-64-linux-gnu@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libbinutils@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libctf-nobfd0@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libctf0@2.36.1-6ubuntu1

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.

Remediation

There is no fixed version for Ubuntu:21.04 binutils.

References

Missing Release of Resource after Effective Lifetime vulnerability report

low severity

Uncontrolled Recursion

Vulnerable module: binutils
Introduced through: binutils@2.36.1-6ubuntu1, binutils/binutils-common@2.36.1-6ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › binutils@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/binutils-common@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/binutils-x86-64-linux-gnu@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libbinutils@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libctf-nobfd0@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libctf0@2.36.1-6ubuntu1

NVD Description

A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.

Remediation

There is no fixed version for Ubuntu:21.04 binutils.

References

Uncontrolled Recursion vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.16.0-5ubuntu1, cairo/libcairo-script-interpreter2@1.16.0-5ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › cairo/libcairo-gobject2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo-script-interpreter2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo2-dev@1.16.0-5ubuntu1

NVD Description

Note: Versions mentioned in the description apply only to the upstream cairo package and not the cairo package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call.

Remediation

There is no fixed version for Ubuntu:21.04 cairo.

References

Out-of-bounds Read vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: gmp/libgmp-dev
Introduced through: gmp/libgmp-dev@2:6.2.1+dfsg-1ubuntu2, gmp/libgmp10@2:6.2.1+dfsg-1ubuntu2 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › gmp/libgmp-dev@2:6.2.1+dfsg-1ubuntu2
Introduced through: buildpack-deps@21.04 › gmp/libgmp10@2:6.2.1+dfsg-1ubuntu2
Introduced through: buildpack-deps@21.04 › gmp/libgmpxx4ldbl@2:6.2.1+dfsg-1ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream gmp package and not the gmp package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.

Remediation

There is no fixed version for Ubuntu:21.04 gmp.

References

Integer Overflow or Wraparound vulnerability report

low severity

Divide By Zero

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1ubuntu1, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › imagemagick@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1ubuntu1

NVD Description

A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:21.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

Information Exposure

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1ubuntu1, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › imagemagick@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1ubuntu1

NVD Description

A flaw was found in ImageMagick in versions before 7.0.11. A potential cipher leak when the calculate signatures in TransformSignature is possible. The highest threat from this vulnerability is to data confidentiality.

Remediation

There is no fixed version for Ubuntu:21.04 imagemagick.

References

Information Exposure vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1ubuntu1, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › imagemagick@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1ubuntu1

NVD Description

A flaw was found in ImageMagick in versions 7.0.11, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:21.04 imagemagick.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: krb5/krb5-locales
Introduced through: krb5/krb5-locales@1.18.3-4, krb5/krb5-multidev@1.18.3-4 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › krb5/krb5-locales@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/krb5-multidev@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libgssapi-krb5-2@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libgssrpc4@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libk5crypto3@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkadm5clnt-mit12@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkadm5srv-mit12@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkdb5-10@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkrb5-3@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkrb5-dev@1.18.3-4
Introduced through: buildpack-deps@21.04 › krb5/libkrb5support0@1.18.3-4

NVD Description

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

Remediation

There is no fixed version for Ubuntu:21.04 krb5.

References

Integer Overflow or Wraparound vulnerability report

low severity

Double Free

Vulnerable module: patch
Introduced through: patch@2.7.6-7

Detailed paths

Introduced through: buildpack-deps@21.04 › patch@2.7.6-7

NVD Description

Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

Remediation

There is no fixed version for Ubuntu:21.04 patch.

References

Double Free vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: pcre3/libpcre16-3
Introduced through: pcre3/libpcre16-3@2:8.39-13build3, pcre3/libpcre3@2:8.39-13build3 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › pcre3/libpcre16-3@2:8.39-13build3
Introduced through: buildpack-deps@21.04 › pcre3/libpcre3@2:8.39-13build3
Introduced through: buildpack-deps@21.04 › pcre3/libpcre3-dev@2:8.39-13build3
Introduced through: buildpack-deps@21.04 › pcre3/libpcre32-3@2:8.39-13build3
Introduced through: buildpack-deps@21.04 › pcre3/libpcrecpp0v5@2:8.39-13build3

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.

Remediation

There is no fixed version for Ubuntu:21.04 pcre3.

References

Out-of-bounds Read vulnerability report

low severity

Uncontrolled Recursion

Vulnerable module: pcre3/libpcre16-3
Introduced through: pcre3/libpcre16-3@2:8.39-13build3, pcre3/libpcre3@2:8.39-13build3 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › pcre3/libpcre16-3@2:8.39-13build3
Introduced through: buildpack-deps@21.04 › pcre3/libpcre3@2:8.39-13build3
Introduced through: buildpack-deps@21.04 › pcre3/libpcre3-dev@2:8.39-13build3
Introduced through: buildpack-deps@21.04 › pcre3/libpcre32-3@2:8.39-13build3
Introduced through: buildpack-deps@21.04 › pcre3/libpcrecpp0v5@2:8.39-13build3

NVD Description

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

Remediation

There is no fixed version for Ubuntu:21.04 pcre3.

References

Uncontrolled Recursion vulnerability report

low severity

CVE-2020-9991

Vulnerable module: sqlite3/libsqlite3-0
Introduced through: sqlite3/libsqlite3-0@3.34.1-3 and sqlite3/libsqlite3-dev@3.34.1-3

Detailed paths

Introduced through: buildpack-deps@21.04 › sqlite3/libsqlite3-0@3.34.1-3
Introduced through: buildpack-deps@21.04 › sqlite3/libsqlite3-dev@3.34.1-3

NVD Description

This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.0, iOS 14.0 and iPadOS 14.0, iCloud for Windows 7.21, tvOS 14.0. A remote attacker may be able to cause a denial of service.

Remediation

There is no fixed version for Ubuntu:21.04 sqlite3.

References

CVE-2020-9991 vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: tar
Introduced through: tar@1.34+dfsg-1build1

Detailed paths

Introduced through: buildpack-deps@21.04 › tar@1.34+dfsg-1build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

Remediation

There is no fixed version for Ubuntu:21.04 tar.

References

NULL Pointer Dereference vulnerability report

low severity

Improper Privilege Management

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:8.4p1-5ubuntu1.2

Detailed paths

Introduced through: buildpack-deps@21.04 › openssh/openssh-client@1:8.4p1-5ubuntu1.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.

Remediation

There is no fixed version for Ubuntu:21.04 openssh.

References

Improper Privilege Management vulnerability report

low severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.16.0-5ubuntu1, cairo/libcairo-script-interpreter2@1.16.0-5ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › cairo/libcairo-gobject2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo-script-interpreter2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo2-dev@1.16.0-5ubuntu1

NVD Description

An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.

Remediation

There is no fixed version for Ubuntu:21.04 cairo.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.16.0-5ubuntu1, cairo/libcairo-script-interpreter2@1.16.0-5ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › cairo/libcairo-gobject2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo-script-interpreter2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo2-dev@1.16.0-5ubuntu1

NVD Description

cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).

Remediation

There is no fixed version for Ubuntu:21.04 cairo.

References

Out-of-bounds Write vulnerability report

low severity

Reachable Assertion

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.16.0-5ubuntu1, cairo/libcairo-script-interpreter2@1.16.0-5ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › cairo/libcairo-gobject2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo-script-interpreter2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo2-dev@1.16.0-5ubuntu1

NVD Description

An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.

Remediation

There is no fixed version for Ubuntu:21.04 cairo.

References

Reachable Assertion vulnerability report

low severity

Improper Input Validation

Vulnerable module: coreutils
Introduced through: coreutils@8.32-4ubuntu2

Detailed paths

Introduced through: buildpack-deps@21.04 › coreutils@8.32-4ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Ubuntu:21.04 coreutils.

References

Improper Input Validation vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: heimdal/libasn1-8-heimdal
Introduced through: heimdal/libasn1-8-heimdal@7.7.0+dfsg-2, heimdal/libgssapi3-heimdal@7.7.0+dfsg-2 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › heimdal/libasn1-8-heimdal@7.7.0+dfsg-2
Introduced through: buildpack-deps@21.04 › heimdal/libgssapi3-heimdal@7.7.0+dfsg-2
Introduced through: buildpack-deps@21.04 › heimdal/libhcrypto4-heimdal@7.7.0+dfsg-2
Introduced through: buildpack-deps@21.04 › heimdal/libheimbase1-heimdal@7.7.0+dfsg-2
Introduced through: buildpack-deps@21.04 › heimdal/libheimntlm0-heimdal@7.7.0+dfsg-2
Introduced through: buildpack-deps@21.04 › heimdal/libhx509-5-heimdal@7.7.0+dfsg-2
Introduced through: buildpack-deps@21.04 › heimdal/libkrb5-26-heimdal@7.7.0+dfsg-2
Introduced through: buildpack-deps@21.04 › heimdal/libroken18-heimdal@7.7.0+dfsg-2
Introduced through: buildpack-deps@21.04 › heimdal/libwind0-heimdal@7.7.0+dfsg-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba server.

Remediation

There is no fixed version for Ubuntu:21.04 heimdal.

References

NULL Pointer Dereference vulnerability report

low severity

Out-of-Bounds

Vulnerable module: jbigkit/libjbig-dev
Introduced through: jbigkit/libjbig-dev@2.1-3.1build1 and jbigkit/libjbig0@2.1-3.1build1

Detailed paths

Introduced through: buildpack-deps@21.04 › jbigkit/libjbig-dev@2.1-3.1build1
Introduced through: buildpack-deps@21.04 › jbigkit/libjbig0@2.1-3.1build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream jbigkit package and not the jbigkit package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.

Remediation

There is no fixed version for Ubuntu:21.04 jbigkit.

References

Out-of-Bounds vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.3.1-1ubuntu5 and openjpeg2/libopenjp2-7-dev@2.3.1-1ubuntu5

Detailed paths

Introduced through: buildpack-deps@21.04 › openjpeg2/libopenjp2-7@2.3.1-1ubuntu5
Introduced through: buildpack-deps@21.04 › openjpeg2/libopenjp2-7-dev@2.3.1-1ubuntu5

NVD Description

An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers to cause a denial of service (attempted excessive memory allocation) in opj_calloc in openjp2/opj_malloc.c, when called from opj_tcd_init_tile in openjp2/tcd.c, as demonstrated by the 64-bit opj_decompress.

Remediation

There is no fixed version for Ubuntu:21.04 openjpeg2.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Information Exposure

Vulnerable module: sqlite3/libsqlite3-0
Introduced through: sqlite3/libsqlite3-0@3.34.1-3 and sqlite3/libsqlite3-dev@3.34.1-3

Detailed paths

Introduced through: buildpack-deps@21.04 › sqlite3/libsqlite3-0@3.34.1-3
Introduced through: buildpack-deps@21.04 › sqlite3/libsqlite3-dev@3.34.1-3

NVD Description

An information disclosure issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.0, iOS 14.0 and iPadOS 14.0, iTunes for Windows 12.10.9, iCloud for Windows 11.5, tvOS 14.0. A remote attacker may be able to leak memory.

Remediation

There is no fixed version for Ubuntu:21.04 sqlite3.

References

Information Exposure vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.2.0-1build1, tiff/libtiff5@4.2.0-1build1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › tiff/libtiff-dev@4.2.0-1build1
Introduced through: buildpack-deps@21.04 › tiff/libtiff5@4.2.0-1build1
Introduced through: buildpack-deps@21.04 › tiff/libtiffxx5@4.2.0-1build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.

Remediation

There is no fixed version for Ubuntu:21.04 tiff.

References

NULL Pointer Dereference vulnerability report

low severity

Information Exposure

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:8.4p1-5ubuntu1.2

Detailed paths

Introduced through: buildpack-deps@21.04 › openssh/openssh-client@1:8.4p1-5ubuntu1.2

NVD Description

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

Remediation

There is no fixed version for Ubuntu:21.04 openssh.

References

Information Exposure vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: binutils
Introduced through: binutils@2.36.1-6ubuntu1, binutils/binutils-common@2.36.1-6ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › binutils@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/binutils-common@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/binutils-x86-64-linux-gnu@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libbinutils@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libctf-nobfd0@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libctf0@2.36.1-6ubuntu1

NVD Description

The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).

Remediation

There is no fixed version for Ubuntu:21.04 binutils.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Improper Input Validation

Vulnerable module: binutils
Introduced through: binutils@2.36.1-6ubuntu1, binutils/binutils-common@2.36.1-6ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › binutils@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/binutils-common@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/binutils-x86-64-linux-gnu@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libbinutils@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libctf-nobfd0@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libctf0@2.36.1-6ubuntu1

NVD Description

GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.

Remediation

There is no fixed version for Ubuntu:21.04 binutils.

References

Improper Input Validation vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.16.0-5ubuntu1, cairo/libcairo-script-interpreter2@1.16.0-5ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › cairo/libcairo-gobject2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo-script-interpreter2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo2@1.16.0-5ubuntu1
Introduced through: buildpack-deps@21.04 › cairo/libcairo2-dev@1.16.0-5ubuntu1

NVD Description

Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.

Remediation

There is no fixed version for Ubuntu:21.04 cairo.

References

NULL Pointer Dereference vulnerability report

low severity

Divide By Zero

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1ubuntu1, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › imagemagick@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1ubuntu1

NVD Description

A flaw was found in ImageMagick in MagickCore/resample.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:21.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

Divide By Zero

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1ubuntu1, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › imagemagick@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1ubuntu1

NVD Description

A flaw was found in ImageMagick in MagickCore/visual-effects.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:21.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

Divide By Zero

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1ubuntu1, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › imagemagick@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1ubuntu1

NVD Description

A flaw was found in ImageMagick in coders/webp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:21.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

Divide By Zero

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1ubuntu1, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › imagemagick@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1ubuntu1

NVD Description

A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:21.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

Divide By Zero

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1ubuntu1, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › imagemagick@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1ubuntu1

NVD Description

A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:21.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

CVE-2018-1000654

Vulnerable module: libtasn1-6
Introduced through: libtasn1-6@4.16.0-2

Detailed paths

Introduced through: buildpack-deps@21.04 › libtasn1-6@4.16.0-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.

Remediation

There is no fixed version for Ubuntu:21.04 libtasn1-6.

References

CVE-2018-1000654 vulnerability report

low severity

Out-of-Bounds

Vulnerable module: openexr/libopenexr-dev
Introduced through: openexr/libopenexr-dev@2.5.4-1 and openexr/libopenexr25@2.5.4-1

Detailed paths

Introduced through: buildpack-deps@21.04 › openexr/libopenexr-dev@2.5.4-1
Introduced through: buildpack-deps@21.04 › openexr/libopenexr25@2.5.4-1

NVD Description

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.

Remediation

There is no fixed version for Ubuntu:21.04 openexr.

References

Out-of-Bounds vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: openexr/libopenexr-dev
Introduced through: openexr/libopenexr-dev@2.5.4-1 and openexr/libopenexr25@2.5.4-1

Detailed paths

Introduced through: buildpack-deps@21.04 › openexr/libopenexr-dev@2.5.4-1
Introduced through: buildpack-deps@21.04 › openexr/libopenexr25@2.5.4-1

NVD Description

OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

Remediation

There is no fixed version for Ubuntu:21.04 openexr.

References

Out-of-bounds Write vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.3.1-1ubuntu5 and openjpeg2/libopenjp2-7-dev@2.3.1-1ubuntu5

Detailed paths

Introduced through: buildpack-deps@21.04 › openjpeg2/libopenjp2-7@2.3.1-1ubuntu5
Introduced through: buildpack-deps@21.04 › openjpeg2/libopenjp2-7-dev@2.3.1-1ubuntu5

NVD Description

Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.

Remediation

There is no fixed version for Ubuntu:21.04 openjpeg2.

References

Integer Overflow or Wraparound vulnerability report

low severity

Use of Insufficiently Random Values

Vulnerable module: libxslt/libxslt1-dev
Introduced through: libxslt/libxslt1-dev@1.1.34-4 and libxslt/libxslt1.1@1.1.34-4

Detailed paths

Introduced through: buildpack-deps@21.04 › libxslt/libxslt1-dev@1.1.34-4
Introduced through: buildpack-deps@21.04 › libxslt/libxslt1.1@1.1.34-4

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.

Remediation

There is no fixed version for Ubuntu:21.04 libxslt.

References

Use of Insufficiently Random Values vulnerability report

low severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: shadow/login
Introduced through: shadow/login@1:4.8.1-1ubuntu8.1 and shadow/passwd@1:4.8.1-1ubuntu8.1

Detailed paths

Introduced through: buildpack-deps@21.04 › shadow/login@1:4.8.1-1ubuntu8.1
Introduced through: buildpack-deps@21.04 › shadow/passwd@1:4.8.1-1ubuntu8.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

Remediation

There is no fixed version for Ubuntu:21.04 shadow.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

low severity

Exposure of Resource to Wrong Sphere

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1ubuntu1, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › imagemagick@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1ubuntu1
Introduced through: buildpack-deps@21.04 › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1ubuntu1

NVD Description

ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a module policy in policy.xml. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the module policy and instead use the coder policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.

Remediation

There is no fixed version for Ubuntu:21.04 imagemagick.

References

Exposure of Resource to Wrong Sphere vulnerability report

low severity

CVE-2021-3648

Vulnerable module: binutils
Introduced through: binutils@2.36.1-6ubuntu1, binutils/binutils-common@2.36.1-6ubuntu1 and others

Detailed paths

Introduced through: buildpack-deps@21.04 › binutils@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/binutils-common@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/binutils-x86-64-linux-gnu@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libbinutils@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libctf-nobfd0@2.36.1-6ubuntu1
Introduced through: buildpack-deps@21.04 › binutils/libctf0@2.36.1-6ubuntu1

NVD Description

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-3530. Reason: This candidate is a reservation duplicate of CVE-2021-3530. Notes: All CVE users should reference CVE-2021-3530 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Remediation

There is no fixed version for Ubuntu:21.04 binutils.

References

ADVISORY

CVE-2021-3648 vulnerability report

Vulnerabilities

Dependencies

Source

Target OS

medium severity

Buffer Overflow

Detailed paths

NVD Description

Remediation

References

medium severity

Out-of-bounds Write

Detailed paths

NVD Description

Remediation

References

medium severity

Out-of-bounds Write

Detailed paths

NVD Description

Remediation

References

medium severity

Out-of-bounds Write

Detailed paths

NVD Description

Remediation

References

medium severity

Out-of-bounds Read

Detailed paths

NVD Description

Remediation

References

medium severity

Improper Verification of Cryptographic Signature

Detailed paths

NVD Description

Remediation

References

medium severity

NULL Pointer Dereference

Detailed paths

NVD Description

Remediation

References

medium severity

NULL Pointer Dereference

Detailed paths

NVD Description

Remediation

References

medium severity

Access of Uninitialized Pointer

Detailed paths

NVD Description

Remediation

References

medium severity

NULL Pointer Dereference

Detailed paths

NVD Description

Remediation

References

medium severity

NULL Pointer Dereference

Detailed paths

NVD Description

Remediation

References

medium severity

Out-of-bounds Write

Detailed paths

NVD Description

Remediation

References

medium severity

Open Redirect

Detailed paths

NVD Description