Vulnerabilities

 7 via 24 paths

Dependencies

 408

Source

 Group 6 Copy Created with Sketch. Docker

Target OS

 ubuntu:19.10
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 5
  • 2
Status
  • 7
  • 0
  • 0

medium severity

Arbitrary Code Injection

  • Vulnerable module: curl
  • Introduced through: curl@7.65.3-1ubuntu3, curl/libcurl3-gnutls@7.65.3-1ubuntu3 and others
  • Fixed in: 7.65.3-1ubuntu3.1

Detailed paths

  • Introduced through: buildpack-deps@eoan curl@7.65.3-1ubuntu3
  • Introduced through: buildpack-deps@eoan curl/libcurl3-gnutls@7.65.3-1ubuntu3
  • Introduced through: buildpack-deps@eoan curl/libcurl4@7.65.3-1ubuntu3
  • Introduced through: buildpack-deps@eoan curl/libcurl4-openssl-dev@7.65.3-1ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:19.10 relevant fixed versions and status.

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.

Remediation

Upgrade Ubuntu:19.10 curl to version 7.65.3-1ubuntu3.1 or higher.

References

Arbitrary Code Injection vulnerability report

medium severity

Information Exposure

  • Vulnerable module: curl
  • Introduced through: curl@7.65.3-1ubuntu3, curl/libcurl3-gnutls@7.65.3-1ubuntu3 and others
  • Fixed in: 7.65.3-1ubuntu3.1

Detailed paths

  • Introduced through: buildpack-deps@eoan curl@7.65.3-1ubuntu3
  • Introduced through: buildpack-deps@eoan curl/libcurl3-gnutls@7.65.3-1ubuntu3
  • Introduced through: buildpack-deps@eoan curl/libcurl4@7.65.3-1ubuntu3
  • Introduced through: buildpack-deps@eoan curl/libcurl4-openssl-dev@7.65.3-1ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:19.10 relevant fixed versions and status.

curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).

Remediation

Upgrade Ubuntu:19.10 curl to version 7.65.3-1ubuntu3.1 or higher.

References

Information Exposure vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.30-0ubuntu2.1, glibc/libc-dev-bin@2.30-0ubuntu2.1 and others
  • Fixed in: 2.30-0ubuntu2.2

Detailed paths

  • Introduced through: buildpack-deps@eoan glibc/libc-bin@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps@eoan glibc/libc-dev-bin@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps@eoan glibc/libc6@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps@eoan glibc/libc6-dev@2.30-0ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:19.10 relevant fixed versions and status.

An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Ubuntu:19.10 glibc to version 2.30-0ubuntu2.2 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: openexr/libopenexr-dev
  • Introduced through: openexr/libopenexr-dev@2.2.1-4.1ubuntu1.1 and openexr/libopenexr23@2.2.1-4.1ubuntu1.1
  • Fixed in: 2.2.1-4.1ubuntu1.2

Detailed paths

  • Introduced through: buildpack-deps@eoan openexr/libopenexr-dev@2.2.1-4.1ubuntu1.1
  • Introduced through: buildpack-deps@eoan openexr/libopenexr23@2.2.1-4.1ubuntu1.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openexr package and not the openexr package as distributed by Ubuntu. See How to fix? for Ubuntu:19.10 relevant fixed versions and status.

An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp.

Remediation

Upgrade Ubuntu:19.10 openexr to version 2.2.1-4.1ubuntu1.2 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

Use After Free

  • Vulnerable module: openexr/libopenexr-dev
  • Introduced through: openexr/libopenexr-dev@2.2.1-4.1ubuntu1.1 and openexr/libopenexr23@2.2.1-4.1ubuntu1.1
  • Fixed in: 2.2.1-4.1ubuntu1.2

Detailed paths

  • Introduced through: buildpack-deps@eoan openexr/libopenexr-dev@2.2.1-4.1ubuntu1.1
  • Introduced through: buildpack-deps@eoan openexr/libopenexr23@2.2.1-4.1ubuntu1.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openexr package and not the openexr package as distributed by Ubuntu. See How to fix? for Ubuntu:19.10 relevant fixed versions and status.

An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp.

Remediation

Upgrade Ubuntu:19.10 openexr to version 2.2.1-4.1ubuntu1.2 or higher.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.30-0ubuntu2.1, glibc/libc-dev-bin@2.30-0ubuntu2.1 and others
  • Fixed in: 2.30-0ubuntu2.2

Detailed paths

  • Introduced through: buildpack-deps@eoan glibc/libc-bin@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps@eoan glibc/libc-dev-bin@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps@eoan glibc/libc6@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps@eoan glibc/libc6-dev@2.30-0ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:19.10 relevant fixed versions and status.

A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.

Remediation

Upgrade Ubuntu:19.10 glibc to version 2.30-0ubuntu2.2 or higher.

References

Use After Free vulnerability report

low severity

Information Exposure

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.30-0ubuntu2.1, glibc/libc-dev-bin@2.30-0ubuntu2.1 and others
  • Fixed in: 2.30-0ubuntu2.2

Detailed paths

  • Introduced through: buildpack-deps@eoan glibc/libc-bin@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps@eoan glibc/libc-dev-bin@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps@eoan glibc/libc6@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps@eoan glibc/libc6-dev@2.30-0ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:19.10 relevant fixed versions and status.

On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.

Remediation

Upgrade Ubuntu:19.10 glibc to version 2.30-0ubuntu2.2 or higher.

References

Information Exposure vulnerability report