Vulnerabilities

 87 via 572 paths

Dependencies

 414

Source

 Group 6 Copy Created with Sketch. Docker

Target OS

 ubuntu:22.04
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 41
  • 46
Status
  • 87
  • 0
  • 0

medium severity

OS Command Injection

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in ImageMagick. This security flaw cause a remote code execution vulnerability in OpenBlob with --enable-pipes configured.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

OS Command Injection vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: gdk-pixbuf/gir1.2-gdkpixbuf-2.0
  • Introduced through: gdk-pixbuf/gir1.2-gdkpixbuf-2.0@2.42.8+dfsg-1ubuntu0.2, gdk-pixbuf/libgdk-pixbuf-2.0-0@2.42.8+dfsg-1ubuntu0.2 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 gdk-pixbuf/gir1.2-gdkpixbuf-2.0@2.42.8+dfsg-1ubuntu0.2
  • Introduced through: buildpack-deps@22.04 gdk-pixbuf/libgdk-pixbuf-2.0-0@2.42.8+dfsg-1ubuntu0.2
  • Introduced through: buildpack-deps@22.04 gdk-pixbuf/libgdk-pixbuf-2.0-dev@2.42.8+dfsg-1ubuntu0.2
  • Introduced through: buildpack-deps@22.04 gdk-pixbuf/libgdk-pixbuf2.0-bin@2.42.8+dfsg-1ubuntu0.2
  • Introduced through: buildpack-deps@22.04 gdk-pixbuf/libgdk-pixbuf2.0-common@2.42.8+dfsg-1ubuntu0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream gdk-pixbuf package and not the gdk-pixbuf package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.

Remediation

There is no fixed version for Ubuntu:22.04 gdk-pixbuf.

References

Out-of-bounds Write vulnerability report

medium severity

Buffer Overflow

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Buffer Overflow vulnerability report

medium severity

Incorrect Type Conversion or Cast

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In ImageMagick, there is load of misaligned address for type 'double', which requires 8 byte alignment and for type 'float', which requires 4 byte alignment at MagickCore/property.c. Whenever crafted or untrusted input is processed by ImageMagick, this causes a negative impact to application availability or other problems related to undefined behavior.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Incorrect Type Conversion or Cast vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in ImageMagick, causing an outside the range of representable values of type 'unsigned char' at coders/psd.c, when crafted or untrusted input is processed. This leads to a negative impact to application availability or other problems related to undefined behavior.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in ImageMagick, causing an outside the range of representable values of type 'unsigned long' at coders/pcl.c, when crafted or untrusted input is processed. This leads to a negative impact to application availability or other problems related to undefined behavior.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Buffer Overflow

  • Vulnerable module: libheif/libheif1
  • Introduced through: libheif/libheif1@1.12.0-2build1

Detailed paths

  • Introduced through: buildpack-deps@22.04 libheif/libheif1@1.12.0-2build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

There is a vulnerability in the strided image data parsing code in the emscripten wrapper for libheif. An attacker could exploit this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call.

Remediation

There is no fixed version for Ubuntu:22.04 libheif.

References

Buffer Overflow vulnerability report

medium severity

Divide By Zero

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was discovered with ImageMagick 7.1.0-4 via Division by zero in function ReadEnhMetaFile of coders/emf.c.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Divide By Zero vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Out-of-bounds Write vulnerability report

medium severity

Use After Free

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInfo() function of dcm.c file. This vulnerability is triggered when an attacker passes a specially crafted DICOM image file to ImageMagick for conversion, potentially leading to information disclosure and a denial of service.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Use After Free vulnerability report

medium severity

Divide By Zero

  • Vulnerable module: pixman/libpixman-1-0
  • Introduced through: pixman/libpixman-1-0@0.40.0-1ubuntu0.22.04.1 and pixman/libpixman-1-dev@0.40.0-1ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 pixman/libpixman-1-0@0.40.0-1ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 pixman/libpixman-1-dev@0.40.0-1ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream pixman package and not the pixman package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.

Remediation

There is no fixed version for Ubuntu:22.04 pixman.

References

Divide By Zero vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In WriteOnePNGImage() of the PNG coder at coders/png.c, an improper call to AcquireVirtualMemory() and memset() allows for an out-of-bounds write later when PopShortPixel() from MagickCore/quantum-private.h is called. The patch fixes the calls by adding 256 to rowbytes. An attacker who is able to supply a specially crafted image could affect availability with a low impact to data integrity. This flaw affects ImageMagick versions prior to 6.9.10-68 and 7.0.8-68.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Out-of-bounds Write vulnerability report

medium severity

Open Redirect

  • Vulnerable module: wget
  • Introduced through: wget@1.21.2-2ubuntu1

Detailed paths

  • Introduced through: buildpack-deps@22.04 wget@1.21.2-2ubuntu1

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:22.04 wget.

References

Open Redirect vulnerability report

medium severity

Information Exposure

  • Vulnerable module: gcc-defaults/cpp
  • Introduced through: gcc-defaults/cpp@4:11.2.0-1ubuntu1, gcc-defaults/g++@4:11.2.0-1ubuntu1 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 gcc-defaults/cpp@4:11.2.0-1ubuntu1
  • Introduced through: buildpack-deps@22.04 gcc-defaults/g++@4:11.2.0-1ubuntu1
  • Introduced through: buildpack-deps@22.04 gcc-defaults/gcc@4:11.2.0-1ubuntu1

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-defaults package and not the gcc-defaults package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation."

Remediation

There is no fixed version for Ubuntu:22.04 gcc-defaults.

References

Information Exposure vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546).

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A stack-based buffer overflow issue was found in ImageMagick's coders/tiff.c. This flaw allows an attacker to trick the user into opening a specially crafted malicious tiff file, causing an application to crash, resulting in a denial of service.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A heap-based buffer overflow vulnerability was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash and denial of service.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Out-of-bounds Write vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: openexr/libopenexr-dev
  • Introduced through: openexr/libopenexr-dev@2.5.7-1 and openexr/libopenexr25@2.5.7-1

Detailed paths

  • Introduced through: buildpack-deps@22.04 openexr/libopenexr-dev@2.5.7-1
  • Introduced through: buildpack-deps@22.04 openexr/libopenexr25@2.5.7-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openexr package and not the openexr package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.

Remediation

There is no fixed version for Ubuntu:22.04 openexr.

References

Integer Overflow or Wraparound vulnerability report

medium severity

CVE-2020-22916

  • Vulnerable module: xz-utils
  • Introduced through: xz-utils@5.2.5-2ubuntu1, xz-utils/liblzma-dev@5.2.5-2ubuntu1 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 xz-utils@5.2.5-2ubuntu1
  • Introduced through: buildpack-deps@22.04 xz-utils/liblzma-dev@5.2.5-2ubuntu1
  • Introduced through: buildpack-deps@22.04 xz-utils/liblzma5@5.2.5-2ubuntu1

NVD Description

Note: Versions mentioned in the description apply only to the upstream xz-utils package and not the xz-utils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.

Remediation

There is no fixed version for Ubuntu:22.04 xz-utils.

References

CVE-2020-22916 vulnerability report

medium severity
new

CVE-2024-20994

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-20994 vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: python3.10
  • Introduced through: python3.10@3.10.12-1~22.04.3, python3.10/libpython3.10-minimal@3.10.12-1~22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 python3.10@3.10.12-1~22.04.3
  • Introduced through: buildpack-deps@22.04 python3.10/libpython3.10-minimal@3.10.12-1~22.04.3
  • Introduced through: buildpack-deps@22.04 python3.10/libpython3.10-stdlib@3.10.12-1~22.04.3
  • Introduced through: buildpack-deps@22.04 python3.10/python3.10-minimal@3.10.12-1~22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.10 package and not the python3.10 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Remediation

There is no fixed version for Ubuntu:22.04 python3.10.

References

Improper Input Validation vulnerability report

medium severity
new

CVE-2024-20998

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-20998 vulnerability report

medium severity
new

CVE-2024-21047

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21047 vulnerability report

medium severity
new

CVE-2024-21054

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21054 vulnerability report

medium severity
new

CVE-2024-21060

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21060 vulnerability report

medium severity
new

CVE-2024-21062

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21062 vulnerability report

medium severity
new

CVE-2024-21069

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21069 vulnerability report

medium severity
new

CVE-2024-21087

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21087 vulnerability report

medium severity
new

CVE-2024-21096

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21096 vulnerability report

medium severity
new

CVE-2024-21102

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21102 vulnerability report

medium severity
new

CVE-2024-21008

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21008 vulnerability report

medium severity
new

CVE-2024-21013

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21013 vulnerability report

medium severity
new

CVE-2024-21000

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21000 vulnerability report

medium severity

Memory Leak

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in ImageMagick-7.0.11-5, where executing a crafted file with the convert command, ASAN detects memory leaks.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Memory Leak vulnerability report

medium severity

Memory Leak

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

ImageMagick before 6.9.12-91 allows attackers to cause a denial of service (memory consumption) in Magick::Draw.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Memory Leak vulnerability report

medium severity

CVE-2024-26458

  • Vulnerable module: krb5/krb5-multidev
  • Introduced through: krb5/krb5-multidev@1.19.2-2ubuntu0.3, krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 krb5/krb5-multidev@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libgssrpc4@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libk5crypto3@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkadm5clnt-mit12@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkadm5srv-mit12@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkdb5-10@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5-3@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5-dev@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5support0@1.19.2-2ubuntu0.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

Remediation

There is no fixed version for Ubuntu:22.04 krb5.

References

CVE-2024-26458 vulnerability report

medium severity

CVE-2024-26461

  • Vulnerable module: krb5/krb5-multidev
  • Introduced through: krb5/krb5-multidev@1.19.2-2ubuntu0.3, krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 krb5/krb5-multidev@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libgssrpc4@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libk5crypto3@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkadm5clnt-mit12@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkadm5srv-mit12@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkdb5-10@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5-3@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5-dev@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5support0@1.19.2-2ubuntu0.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

Remediation

There is no fixed version for Ubuntu:22.04 krb5.

References

CVE-2024-26461 vulnerability report

medium severity

CVE-2024-26462

  • Vulnerable module: krb5/krb5-multidev
  • Introduced through: krb5/krb5-multidev@1.19.2-2ubuntu0.3, krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 krb5/krb5-multidev@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libgssrpc4@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libk5crypto3@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkadm5clnt-mit12@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkadm5srv-mit12@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkdb5-10@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5-3@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5-dev@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5support0@1.19.2-2ubuntu0.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

Remediation

There is no fixed version for Ubuntu:22.04 krb5.

References

CVE-2024-26462 vulnerability report

medium severity

Information Exposure

  • Vulnerable module: libgcrypt20
  • Introduced through: libgcrypt20@1.9.4-3ubuntu3

Detailed paths

  • Introduced through: buildpack-deps@22.04 libgcrypt20@1.9.4-3ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for Ubuntu:22.04 libgcrypt20.

References

Information Exposure vulnerability report

medium severity
new

Heap-based Buffer Overflow

  • Vulnerable module: libyaml/libyaml-0-2
  • Introduced through: libyaml/libyaml-0-2@0.2.2-1build2 and libyaml/libyaml-dev@0.2.2-1build2

Detailed paths

  • Introduced through: buildpack-deps@22.04 libyaml/libyaml-0-2@0.2.2-1build2
  • Introduced through: buildpack-deps@22.04 libyaml/libyaml-dev@0.2.2-1build2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libyaml package and not the libyaml package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in yaml libyaml up to 0.2.5 and classified as critical. Affected by this issue is the function yaml_emitter_emit_flow_sequence_item of the file /src/libyaml/src/emitter.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259052. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Remediation

There is no fixed version for Ubuntu:22.04 libyaml.

References

Heap-based Buffer Overflow vulnerability report

medium severity
new

CVE-2024-21009

  • Vulnerable module: mysql-8.0/libmysqlclient-dev
  • Introduced through: mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1 and mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient-dev@8.0.36-0ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 mysql-8.0/libmysqlclient21@8.0.36-0ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:22.04 mysql-8.0.

References

CVE-2024-21009 vulnerability report

low severity

Improper Input Validation

  • Vulnerable module: git
  • Introduced through: git@1:2.34.1-1ubuntu1.10 and git/git-man@1:2.34.1-1ubuntu1.10

Detailed paths

  • Introduced through: buildpack-deps@22.04 git@1:2.34.1-1ubuntu1.10
  • Introduced through: buildpack-deps@22.04 git/git-man@1:2.34.1-1ubuntu1.10

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).

Remediation

There is no fixed version for Ubuntu:22.04 git.

References

Improper Input Validation vulnerability report

low severity

Out-of-bounds Write

  • Vulnerable module: openjpeg2/libopenjp2-7
  • Introduced through: openjpeg2/libopenjp2-7@2.4.0-6 and openjpeg2/libopenjp2-7-dev@2.4.0-6

Detailed paths

  • Introduced through: buildpack-deps@22.04 openjpeg2/libopenjp2-7@2.4.0-6
  • Introduced through: buildpack-deps@22.04 openjpeg2/libopenjp2-7-dev@2.4.0-6

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjpeg2 package and not the openjpeg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.

Remediation

There is no fixed version for Ubuntu:22.04 openjpeg2.

References

Out-of-bounds Write vulnerability report

low severity

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: binutils
  • Introduced through: binutils@2.38-4ubuntu2.6, binutils/binutils-common@2.38-4ubuntu2.6 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 binutils@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/binutils-common@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libbinutils@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libctf-nobfd0@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libctf0@2.38-4ubuntu2.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.

Remediation

There is no fixed version for Ubuntu:22.04 binutils.

References

Missing Release of Resource after Effective Lifetime vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.35-0ubuntu3.7, glibc/libc-dev-bin@2.35-0ubuntu3.7 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 glibc/libc-bin@2.35-0ubuntu3.7
  • Introduced through: buildpack-deps@22.04 glibc/libc-dev-bin@2.35-0ubuntu3.7
  • Introduced through: buildpack-deps@22.04 glibc/libc6@2.35-0ubuntu3.7
  • Introduced through: buildpack-deps@22.04 glibc/libc6-dev@2.35-0ubuntu3.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

Remediation

There is no fixed version for Ubuntu:22.04 glibc.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: harfbuzz/libharfbuzz0b
  • Introduced through: harfbuzz/libharfbuzz0b@2.7.4-1ubuntu3.1

Detailed paths

  • Introduced through: buildpack-deps@22.04 harfbuzz/libharfbuzz0b@2.7.4-1ubuntu3.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream harfbuzz package and not the harfbuzz package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Remediation

There is no fixed version for Ubuntu:22.04 harfbuzz.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Divide By Zero

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

Information Exposure

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in ImageMagick in versions before 7.0.11. A potential cipher leak when the calculate signatures in TransformSignature is possible. The highest threat from this vulnerability is to data confidentiality.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Information Exposure vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in ImageMagick in versions 7.0.11, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: krb5/krb5-multidev
  • Introduced through: krb5/krb5-multidev@1.19.2-2ubuntu0.3, krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 krb5/krb5-multidev@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libgssrpc4@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libk5crypto3@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkadm5clnt-mit12@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkadm5srv-mit12@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkdb5-10@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5-3@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5-dev@1.19.2-2ubuntu0.3
  • Introduced through: buildpack-deps@22.04 krb5/libkrb5support0@1.19.2-2ubuntu0.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

Remediation

There is no fixed version for Ubuntu:22.04 krb5.

References

Integer Overflow or Wraparound vulnerability report

low severity

Resource Exhaustion

  • Vulnerable module: libzstd/libzstd-dev
  • Introduced through: libzstd/libzstd-dev@1.4.8+dfsg-3build1 and libzstd/libzstd1@1.4.8+dfsg-3build1

Detailed paths

  • Introduced through: buildpack-deps@22.04 libzstd/libzstd-dev@1.4.8+dfsg-3build1
  • Introduced through: buildpack-deps@22.04 libzstd/libzstd1@1.4.8+dfsg-3build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

Remediation

There is no fixed version for Ubuntu:22.04 libzstd.

References

Resource Exhaustion vulnerability report

low severity

Double Free

  • Vulnerable module: patch
  • Introduced through: patch@2.7.6-7build2

Detailed paths

  • Introduced through: buildpack-deps@22.04 patch@2.7.6-7build2

NVD Description

Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

Remediation

There is no fixed version for Ubuntu:22.04 patch.

References

Double Free vulnerability report

low severity

Uncontrolled Recursion

  • Vulnerable module: pcre3/libpcre16-3
  • Introduced through: pcre3/libpcre16-3@2:8.39-13ubuntu0.22.04.1, pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 pcre3/libpcre16-3@2:8.39-13ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 pcre3/libpcre3-dev@2:8.39-13ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 pcre3/libpcre32-3@2:8.39-13ubuntu0.22.04.1
  • Introduced through: buildpack-deps@22.04 pcre3/libpcrecpp0v5@2:8.39-13ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

Remediation

There is no fixed version for Ubuntu:22.04 pcre3.

References

Uncontrolled Recursion vulnerability report

low severity

Out-of-bounds Write

  • Vulnerable module: cairo/libcairo-gobject2
  • Introduced through: cairo/libcairo-gobject2@1.16.0-5ubuntu2, cairo/libcairo-script-interpreter2@1.16.0-5ubuntu2 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 cairo/libcairo-gobject2@1.16.0-5ubuntu2
  • Introduced through: buildpack-deps@22.04 cairo/libcairo-script-interpreter2@1.16.0-5ubuntu2
  • Introduced through: buildpack-deps@22.04 cairo/libcairo2@1.16.0-5ubuntu2
  • Introduced through: buildpack-deps@22.04 cairo/libcairo2-dev@1.16.0-5ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream cairo package and not the cairo package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).

Remediation

There is no fixed version for Ubuntu:22.04 cairo.

References

Out-of-bounds Write vulnerability report

low severity

Reachable Assertion

  • Vulnerable module: cairo/libcairo-gobject2
  • Introduced through: cairo/libcairo-gobject2@1.16.0-5ubuntu2, cairo/libcairo-script-interpreter2@1.16.0-5ubuntu2 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 cairo/libcairo-gobject2@1.16.0-5ubuntu2
  • Introduced through: buildpack-deps@22.04 cairo/libcairo-script-interpreter2@1.16.0-5ubuntu2
  • Introduced through: buildpack-deps@22.04 cairo/libcairo2@1.16.0-5ubuntu2
  • Introduced through: buildpack-deps@22.04 cairo/libcairo2-dev@1.16.0-5ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream cairo package and not the cairo package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.

Remediation

There is no fixed version for Ubuntu:22.04 cairo.

References

Reachable Assertion vulnerability report

low severity

Improper Input Validation

  • Vulnerable module: coreutils
  • Introduced through: coreutils@8.32-4.1ubuntu1.2

Detailed paths

  • Introduced through: buildpack-deps@22.04 coreutils@8.32-4.1ubuntu1.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Ubuntu:22.04 coreutils.

References

Improper Input Validation vulnerability report

low severity

Out-of-Bounds

  • Vulnerable module: gcc-11
  • Introduced through: gcc-11@11.4.0-1ubuntu1~22.04, gcc-11/cpp-11@11.4.0-1ubuntu1~22.04 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 gcc-11@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/cpp-11@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/g++-11@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/gcc-11-base@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libasan6@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libgcc-11-dev@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libstdc++-11-dev@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libtsan0@11.4.0-1ubuntu1~22.04

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-11 package and not the gcc-11 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.

Remediation

There is no fixed version for Ubuntu:22.04 gcc-11.

References

Out-of-Bounds vulnerability report

low severity

CVE-2023-50495

  • Vulnerable module: ncurses/libncurses-dev
  • Introduced through: ncurses/libncurses-dev@6.3-2ubuntu0.1, ncurses/libncurses5-dev@6.3-2ubuntu0.1 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 ncurses/libncurses-dev@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/libncurses5-dev@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/libncurses6@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/libncursesw5-dev@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/libncursesw6@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/libtinfo6@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/ncurses-base@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/ncurses-bin@6.3-2ubuntu0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

Remediation

There is no fixed version for Ubuntu:22.04 ncurses.

References

CVE-2023-50495 vulnerability report

low severity

Divide By Zero

  • Vulnerable module: openexr/libopenexr-dev
  • Introduced through: openexr/libopenexr-dev@2.5.7-1 and openexr/libopenexr25@2.5.7-1

Detailed paths

  • Introduced through: buildpack-deps@22.04 openexr/libopenexr-dev@2.5.7-1
  • Introduced through: buildpack-deps@22.04 openexr/libopenexr25@2.5.7-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openexr package and not the openexr package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y; and chroma.green.y * (X + Z))) / d; but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.

Remediation

There is no fixed version for Ubuntu:22.04 openexr.

References

Divide By Zero vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: openjpeg2/libopenjp2-7
  • Introduced through: openjpeg2/libopenjp2-7@2.4.0-6 and openjpeg2/libopenjp2-7-dev@2.4.0-6

Detailed paths

  • Introduced through: buildpack-deps@22.04 openjpeg2/libopenjp2-7@2.4.0-6
  • Introduced through: buildpack-deps@22.04 openjpeg2/libopenjp2-7-dev@2.4.0-6

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjpeg2 package and not the openjpeg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers to cause a denial of service (attempted excessive memory allocation) in opj_calloc in openjp2/opj_malloc.c, when called from opj_tcd_init_tile in openjp2/tcd.c, as demonstrated by the 64-bit opj_decompress.

Remediation

There is no fixed version for Ubuntu:22.04 openjpeg2.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

NULL Pointer Dereference

  • Vulnerable module: tiff/libtiff-dev
  • Introduced through: tiff/libtiff-dev@4.3.0-6ubuntu0.8, tiff/libtiff5@4.3.0-6ubuntu0.8 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 tiff/libtiff-dev@4.3.0-6ubuntu0.8
  • Introduced through: buildpack-deps@22.04 tiff/libtiff5@4.3.0-6ubuntu0.8
  • Introduced through: buildpack-deps@22.04 tiff/libtiffxx5@4.3.0-6ubuntu0.8

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.

Remediation

There is no fixed version for Ubuntu:22.04 tiff.

References

NULL Pointer Dereference vulnerability report

low severity

CVE-2023-7008

  • Vulnerable module: systemd/libsystemd0
  • Introduced through: systemd/libsystemd0@249.11-0ubuntu3.12 and systemd/libudev1@249.11-0ubuntu3.12

Detailed paths

  • Introduced through: buildpack-deps@22.04 systemd/libsystemd0@249.11-0ubuntu3.12
  • Introduced through: buildpack-deps@22.04 systemd/libudev1@249.11-0ubuntu3.12

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

Remediation

There is no fixed version for Ubuntu:22.04 systemd.

References

CVE-2023-7008 vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: binutils
  • Introduced through: binutils@2.38-4ubuntu2.6, binutils/binutils-common@2.38-4ubuntu2.6 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 binutils@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/binutils-common@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libbinutils@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libctf-nobfd0@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libctf0@2.38-4ubuntu2.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).

Remediation

There is no fixed version for Ubuntu:22.04 binutils.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: binutils
  • Introduced through: binutils@2.38-4ubuntu2.6, binutils/binutils-common@2.38-4ubuntu2.6 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 binutils@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/binutils-common@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libbinutils@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libctf-nobfd0@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libctf0@2.38-4ubuntu2.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.

Remediation

There is no fixed version for Ubuntu:22.04 binutils.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Improper Input Validation

  • Vulnerable module: binutils
  • Introduced through: binutils@2.38-4ubuntu2.6, binutils/binutils-common@2.38-4ubuntu2.6 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 binutils@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/binutils-common@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libbinutils@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libctf-nobfd0@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libctf0@2.38-4ubuntu2.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.

Remediation

There is no fixed version for Ubuntu:22.04 binutils.

References

Improper Input Validation vulnerability report

low severity

Uncontrolled Recursion

  • Vulnerable module: binutils
  • Introduced through: binutils@2.38-4ubuntu2.6, binutils/binutils-common@2.38-4ubuntu2.6 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 binutils@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/binutils-common@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libbinutils@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libctf-nobfd0@2.38-4ubuntu2.6
  • Introduced through: buildpack-deps@22.04 binutils/libctf0@2.38-4ubuntu2.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

Remediation

There is no fixed version for Ubuntu:22.04 binutils.

References

Uncontrolled Recursion vulnerability report

low severity

NULL Pointer Dereference

  • Vulnerable module: cairo/libcairo-gobject2
  • Introduced through: cairo/libcairo-gobject2@1.16.0-5ubuntu2, cairo/libcairo-script-interpreter2@1.16.0-5ubuntu2 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 cairo/libcairo-gobject2@1.16.0-5ubuntu2
  • Introduced through: buildpack-deps@22.04 cairo/libcairo-script-interpreter2@1.16.0-5ubuntu2
  • Introduced through: buildpack-deps@22.04 cairo/libcairo2@1.16.0-5ubuntu2
  • Introduced through: buildpack-deps@22.04 cairo/libcairo2-dev@1.16.0-5ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream cairo package and not the cairo package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.

Remediation

There is no fixed version for Ubuntu:22.04 cairo.

References

NULL Pointer Dereference vulnerability report

low severity

Uncontrolled Recursion

  • Vulnerable module: gcc-11
  • Introduced through: gcc-11@11.4.0-1ubuntu1~22.04, gcc-11/cpp-11@11.4.0-1ubuntu1~22.04 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 gcc-11@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/cpp-11@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/g++-11@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/gcc-11-base@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libasan6@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libgcc-11-dev@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libstdc++-11-dev@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libtsan0@11.4.0-1ubuntu1~22.04

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-11 package and not the gcc-11 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.

Remediation

There is no fixed version for Ubuntu:22.04 gcc-11.

References

Uncontrolled Recursion vulnerability report

low severity

Uncontrolled Recursion

  • Vulnerable module: gcc-11
  • Introduced through: gcc-11@11.4.0-1ubuntu1~22.04, gcc-11/cpp-11@11.4.0-1ubuntu1~22.04 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 gcc-11@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/cpp-11@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/g++-11@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/gcc-11-base@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libasan6@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libgcc-11-dev@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libstdc++-11-dev@11.4.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-11/libtsan0@11.4.0-1ubuntu1~22.04

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-11 package and not the gcc-11 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

Remediation

There is no fixed version for Ubuntu:22.04 gcc-11.

References

Uncontrolled Recursion vulnerability report

low severity

Uncontrolled Recursion

  • Vulnerable module: gcc-12/gcc-12-base
  • Introduced through: gcc-12/gcc-12-base@12.3.0-1ubuntu1~22.04, gcc-12/libatomic1@12.3.0-1ubuntu1~22.04 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 gcc-12/gcc-12-base@12.3.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-12/libatomic1@12.3.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-12/libcc1-0@12.3.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-12/libgcc-s1@12.3.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-12/libgomp1@12.3.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-12/libitm1@12.3.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-12/liblsan0@12.3.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-12/libquadmath0@12.3.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04
  • Introduced through: buildpack-deps@22.04 gcc-12/libubsan1@12.3.0-1ubuntu1~22.04

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-12 package and not the gcc-12 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

Remediation

There is no fixed version for Ubuntu:22.04 gcc-12.

References

Uncontrolled Recursion vulnerability report

low severity

Divide By Zero

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in ImageMagick in coders/webp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

Divide By Zero

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in ImageMagick in MagickCore/visual-effects.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

Divide By Zero

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

Divide By Zero

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

Divide By Zero

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in ImageMagick in MagickCore/resample.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Divide By Zero vulnerability report

low severity

Improper Input Validation

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in ImageMagick. The vulnerability occurs due to improper use of open functions and leads to a denial of service. This flaw allows an attacker to crash the system.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Improper Input Validation vulnerability report

low severity

Improper Input Validation

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Improper Input Validation vulnerability report

low severity

Out-of-bounds Write

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Out-of-bounds Write vulnerability report

low severity

NULL Pointer Dereference

  • Vulnerable module: libpng1.6/libpng-dev
  • Introduced through: libpng1.6/libpng-dev@1.6.37-3build5 and libpng1.6/libpng16-16@1.6.37-3build5

Detailed paths

  • Introduced through: buildpack-deps@22.04 libpng1.6/libpng-dev@1.6.37-3build5
  • Introduced through: buildpack-deps@22.04 libpng1.6/libpng16-16@1.6.37-3build5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a segmentation fault and denial of service in png_setup_paeth_row() function.

Remediation

There is no fixed version for Ubuntu:22.04 libpng1.6.

References

NULL Pointer Dereference vulnerability report

low severity

Out-of-bounds Write

  • Vulnerable module: openexr/libopenexr-dev
  • Introduced through: openexr/libopenexr-dev@2.5.7-1 and openexr/libopenexr25@2.5.7-1

Detailed paths

  • Introduced through: buildpack-deps@22.04 openexr/libopenexr-dev@2.5.7-1
  • Introduced through: buildpack-deps@22.04 openexr/libopenexr25@2.5.7-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openexr package and not the openexr package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

Remediation

There is no fixed version for Ubuntu:22.04 openexr.

References

Out-of-bounds Write vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: openjpeg2/libopenjp2-7
  • Introduced through: openjpeg2/libopenjp2-7@2.4.0-6 and openjpeg2/libopenjp2-7-dev@2.4.0-6

Detailed paths

  • Introduced through: buildpack-deps@22.04 openjpeg2/libopenjp2-7@2.4.0-6
  • Introduced through: buildpack-deps@22.04 openjpeg2/libopenjp2-7-dev@2.4.0-6

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjpeg2 package and not the openjpeg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.

Remediation

There is no fixed version for Ubuntu:22.04 openjpeg2.

References

Integer Overflow or Wraparound vulnerability report

low severity

Release of Invalid Pointer or Reference

  • Vulnerable module: patch
  • Introduced through: patch@2.7.6-7build2

Detailed paths

  • Introduced through: buildpack-deps@22.04 patch@2.7.6-7build2

NVD Description

Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

Remediation

There is no fixed version for Ubuntu:22.04 patch.

References

Release of Invalid Pointer or Reference vulnerability report

low severity

Out-of-bounds Write

  • Vulnerable module: tiff/libtiff-dev
  • Introduced through: tiff/libtiff-dev@4.3.0-6ubuntu0.8, tiff/libtiff5@4.3.0-6ubuntu0.8 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 tiff/libtiff-dev@4.3.0-6ubuntu0.8
  • Introduced through: buildpack-deps@22.04 tiff/libtiff5@4.3.0-6ubuntu0.8
  • Introduced through: buildpack-deps@22.04 tiff/libtiffxx5@4.3.0-6ubuntu0.8

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file.

Remediation

There is no fixed version for Ubuntu:22.04 tiff.

References

Out-of-bounds Write vulnerability report

low severity

Exposure of Resource to Wrong Sphere

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 imagemagick@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
  • Introduced through: buildpack-deps@22.04 imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a module policy in policy.xml. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the module policy and instead use the coder policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.

Remediation

There is no fixed version for Ubuntu:22.04 imagemagick.

References

Exposure of Resource to Wrong Sphere vulnerability report

low severity

Out-of-bounds Write

  • Vulnerable module: gnupg2/dirmngr
  • Introduced through: gnupg2/dirmngr@2.2.27-3ubuntu2.1, gnupg2/gnupg@2.2.27-3ubuntu2.1 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 gnupg2/dirmngr@2.2.27-3ubuntu2.1
  • Introduced through: buildpack-deps@22.04 gnupg2/gnupg@2.2.27-3ubuntu2.1
  • Introduced through: buildpack-deps@22.04 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1
  • Introduced through: buildpack-deps@22.04 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1
  • Introduced through: buildpack-deps@22.04 gnupg2/gpg@2.2.27-3ubuntu2.1
  • Introduced through: buildpack-deps@22.04 gnupg2/gpg-agent@2.2.27-3ubuntu2.1
  • Introduced through: buildpack-deps@22.04 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1
  • Introduced through: buildpack-deps@22.04 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1
  • Introduced through: buildpack-deps@22.04 gnupg2/gpgconf@2.2.27-3ubuntu2.1
  • Introduced through: buildpack-deps@22.04 gnupg2/gpgsm@2.2.27-3ubuntu2.1
  • Introduced through: buildpack-deps@22.04 gnupg2/gpgv@2.2.27-3ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

Remediation

There is no fixed version for Ubuntu:22.04 gnupg2.

References

Out-of-bounds Write vulnerability report

low severity

Arbitrary Code Injection

  • Vulnerable module: shadow/login
  • Introduced through: shadow/login@1:4.8.1-2ubuntu2.2 and shadow/passwd@1:4.8.1-2ubuntu2.2

Detailed paths

  • Introduced through: buildpack-deps@22.04 shadow/login@1:4.8.1-2ubuntu2.2
  • Introduced through: buildpack-deps@22.04 shadow/passwd@1:4.8.1-2ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.

Remediation

There is no fixed version for Ubuntu:22.04 shadow.

References

Arbitrary Code Injection vulnerability report

low severity

CVE-2023-45918

  • Vulnerable module: ncurses/libncurses-dev
  • Introduced through: ncurses/libncurses-dev@6.3-2ubuntu0.1, ncurses/libncurses5-dev@6.3-2ubuntu0.1 and others

Detailed paths

  • Introduced through: buildpack-deps@22.04 ncurses/libncurses-dev@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/libncurses5-dev@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/libncurses6@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/libncursesw5-dev@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/libncursesw6@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/libtinfo6@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/ncurses-base@6.3-2ubuntu0.1
  • Introduced through: buildpack-deps@22.04 ncurses/ncurses-bin@6.3-2ubuntu0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

Remediation

There is no fixed version for Ubuntu:22.04 ncurses.

References

CVE-2023-45918 vulnerability report