Vulnerability report for Docker buildpack-deps:focal-curl

Vulnerabilities	20 via 57 paths
Dependencies	140
Source	Docker
Target OS	ubuntu:20.04

Test your Docker Hub image against our market leading vulnerability database Sign up for free

Severity

Critical
High
Medium
8
Low
12

Status

Open
20
Patched
0
Ignored
0

medium severity

Open Redirect

Vulnerable module: wget
Introduced through: wget@1.20.3-1ubuntu2

Detailed paths

Introduced through: buildpack-deps@focal-curl › wget@1.20.3-1ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:20.04 wget.

References

Open Redirect vulnerability report

medium severity

CVE-2020-22916

Vulnerable module: xz-utils/liblzma5
Introduced through: xz-utils/liblzma5@5.2.4-1ubuntu1.1

Detailed paths

Introduced through: buildpack-deps@focal-curl › xz-utils/liblzma5@5.2.4-1ubuntu1.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream xz-utils package and not the xz-utils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.

Remediation

There is no fixed version for Ubuntu:20.04 xz-utils.

References

CVE-2020-22916 vulnerability report

medium severity

new

CVE-2024-2961

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.31-0ubuntu9.14 and glibc/libc6@2.31-0ubuntu9.14
Fixed in: 2.31-0ubuntu9.15

Detailed paths

Introduced through: buildpack-deps@focal-curl › glibc/libc-bin@2.31-0ubuntu9.14
Introduced through: buildpack-deps@focal-curl › glibc/libc6@2.31-0ubuntu9.14

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Ubuntu:20.04 glibc to version 2.31-0ubuntu9.15 or higher.

References

CVE-2024-2961 vulnerability report

medium severity

new

Information Exposure

Vulnerable module: gnutls28/libgnutls30
Introduced through: gnutls28/libgnutls30@3.6.13-2ubuntu1.10
Fixed in: 3.6.13-2ubuntu1.11

Detailed paths

Introduced through: buildpack-deps@focal-curl › gnutls28/libgnutls30@3.6.13-2ubuntu1.10

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.11 or higher.

References

Information Exposure vulnerability report

medium severity

CVE-2024-26458

Vulnerable module: krb5/libgssapi-krb5-2
Introduced through: krb5/libgssapi-krb5-2@1.17-6ubuntu4.4, krb5/libk5crypto3@1.17-6ubuntu4.4 and others

Detailed paths

Introduced through: buildpack-deps@focal-curl › krb5/libgssapi-krb5-2@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libk5crypto3@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libkrb5-3@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libkrb5support0@1.17-6ubuntu4.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

Remediation

There is no fixed version for Ubuntu:20.04 krb5.

References

CVE-2024-26458 vulnerability report

medium severity

CVE-2024-26461

Vulnerable module: krb5/libgssapi-krb5-2
Introduced through: krb5/libgssapi-krb5-2@1.17-6ubuntu4.4, krb5/libk5crypto3@1.17-6ubuntu4.4 and others

Detailed paths

Introduced through: buildpack-deps@focal-curl › krb5/libgssapi-krb5-2@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libk5crypto3@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libkrb5-3@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libkrb5support0@1.17-6ubuntu4.4

NVD Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

Remediation

There is no fixed version for Ubuntu:20.04 krb5.

References

CVE-2024-26461 vulnerability report

medium severity

CVE-2024-26462

Vulnerable module: krb5/libgssapi-krb5-2
Introduced through: krb5/libgssapi-krb5-2@1.17-6ubuntu4.4, krb5/libk5crypto3@1.17-6ubuntu4.4 and others

Detailed paths

Introduced through: buildpack-deps@focal-curl › krb5/libgssapi-krb5-2@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libk5crypto3@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libkrb5-3@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libkrb5support0@1.17-6ubuntu4.4

NVD Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

Remediation

There is no fixed version for Ubuntu:20.04 krb5.

References

CVE-2024-26462 vulnerability report

medium severity

Information Exposure

Vulnerable module: libgcrypt20
Introduced through: libgcrypt20@1.8.5-5ubuntu1.1

Detailed paths

Introduced through: buildpack-deps@focal-curl › libgcrypt20@1.8.5-5ubuntu1.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for Ubuntu:20.04 libgcrypt20.

References

Information Exposure vulnerability report

low severity

Use After Free

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.31-0ubuntu9.14 and glibc/libc6@2.31-0ubuntu9.14

Detailed paths

Introduced through: buildpack-deps@focal-curl › glibc/libc-bin@2.31-0ubuntu9.14
Introduced through: buildpack-deps@focal-curl › glibc/libc6@2.31-0ubuntu9.14

NVD Description

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

Remediation

There is no fixed version for Ubuntu:20.04 glibc.

References

Use After Free vulnerability report

low severity

CVE-2023-26604

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@245.4-4ubuntu3.23 and systemd/libudev1@245.4-4ubuntu3.23

Detailed paths

Introduced through: buildpack-deps@focal-curl › systemd/libsystemd0@245.4-4ubuntu3.23
Introduced through: buildpack-deps@focal-curl › systemd/libudev1@245.4-4ubuntu3.23

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.

Remediation

There is no fixed version for Ubuntu:20.04 systemd.

References

CVE-2023-26604 vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.31-0ubuntu9.14 and glibc/libc6@2.31-0ubuntu9.14

Detailed paths

Introduced through: buildpack-deps@focal-curl › glibc/libc-bin@2.31-0ubuntu9.14
Introduced through: buildpack-deps@focal-curl › glibc/libc6@2.31-0ubuntu9.14

NVD Description

sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

Remediation

There is no fixed version for Ubuntu:20.04 glibc.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: krb5/libgssapi-krb5-2
Introduced through: krb5/libgssapi-krb5-2@1.17-6ubuntu4.4, krb5/libk5crypto3@1.17-6ubuntu4.4 and others

Detailed paths

Introduced through: buildpack-deps@focal-curl › krb5/libgssapi-krb5-2@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libk5crypto3@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libkrb5-3@1.17-6ubuntu4.4
Introduced through: buildpack-deps@focal-curl › krb5/libkrb5support0@1.17-6ubuntu4.4

NVD Description

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

Remediation

There is no fixed version for Ubuntu:20.04 krb5.

References

Integer Overflow or Wraparound vulnerability report

low severity

Uncontrolled Recursion

Vulnerable module: pcre3/libpcre3
Introduced through: pcre3/libpcre3@2:8.39-12ubuntu0.1

Detailed paths

Introduced through: buildpack-deps@focal-curl › pcre3/libpcre3@2:8.39-12ubuntu0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

Remediation

There is no fixed version for Ubuntu:20.04 pcre3.

References

Uncontrolled Recursion vulnerability report

low severity

Improper Input Validation

Vulnerable module: coreutils
Introduced through: coreutils@8.30-3ubuntu2

Detailed paths

Introduced through: buildpack-deps@focal-curl › coreutils@8.30-3ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Ubuntu:20.04 coreutils.

References

Improper Input Validation vulnerability report

low severity

CVE-2023-50495

Vulnerable module: ncurses/libncurses6
Introduced through: ncurses/libncurses6@6.2-0ubuntu2.1, ncurses/libncursesw6@6.2-0ubuntu2.1 and others

Detailed paths

Introduced through: buildpack-deps@focal-curl › ncurses/libncurses6@6.2-0ubuntu2.1
Introduced through: buildpack-deps@focal-curl › ncurses/libncursesw6@6.2-0ubuntu2.1
Introduced through: buildpack-deps@focal-curl › ncurses/libtinfo6@6.2-0ubuntu2.1
Introduced through: buildpack-deps@focal-curl › ncurses/ncurses-base@6.2-0ubuntu2.1
Introduced through: buildpack-deps@focal-curl › ncurses/ncurses-bin@6.2-0ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

Remediation

There is no fixed version for Ubuntu:20.04 ncurses.

References

CVE-2023-50495 vulnerability report

low severity

CVE-2023-7008

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@245.4-4ubuntu3.23 and systemd/libudev1@245.4-4ubuntu3.23

Detailed paths

Introduced through: buildpack-deps@focal-curl › systemd/libsystemd0@245.4-4ubuntu3.23
Introduced through: buildpack-deps@focal-curl › systemd/libudev1@245.4-4ubuntu3.23

NVD Description

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

Remediation

There is no fixed version for Ubuntu:20.04 systemd.

References

CVE-2023-7008 vulnerability report

low severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: shadow/login
Introduced through: shadow/login@1:4.8.1-1ubuntu5.20.04.5 and shadow/passwd@1:4.8.1-1ubuntu5.20.04.5

Detailed paths

Introduced through: buildpack-deps@focal-curl › shadow/login@1:4.8.1-1ubuntu5.20.04.5
Introduced through: buildpack-deps@focal-curl › shadow/passwd@1:4.8.1-1ubuntu5.20.04.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

Remediation

There is no fixed version for Ubuntu:20.04 shadow.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: gnupg2/dirmngr
Introduced through: gnupg2/dirmngr@2.2.19-3ubuntu2.2, gnupg2/gnupg@2.2.19-3ubuntu2.2 and others

Detailed paths

Introduced through: buildpack-deps@focal-curl › gnupg2/dirmngr@2.2.19-3ubuntu2.2
Introduced through: buildpack-deps@focal-curl › gnupg2/gnupg@2.2.19-3ubuntu2.2
Introduced through: buildpack-deps@focal-curl › gnupg2/gnupg-l10n@2.2.19-3ubuntu2.2
Introduced through: buildpack-deps@focal-curl › gnupg2/gnupg-utils@2.2.19-3ubuntu2.2
Introduced through: buildpack-deps@focal-curl › gnupg2/gpg@2.2.19-3ubuntu2.2
Introduced through: buildpack-deps@focal-curl › gnupg2/gpg-agent@2.2.19-3ubuntu2.2
Introduced through: buildpack-deps@focal-curl › gnupg2/gpg-wks-client@2.2.19-3ubuntu2.2
Introduced through: buildpack-deps@focal-curl › gnupg2/gpg-wks-server@2.2.19-3ubuntu2.2
Introduced through: buildpack-deps@focal-curl › gnupg2/gpgconf@2.2.19-3ubuntu2.2
Introduced through: buildpack-deps@focal-curl › gnupg2/gpgsm@2.2.19-3ubuntu2.2
Introduced through: buildpack-deps@focal-curl › gnupg2/gpgv@2.2.19-3ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

Remediation

There is no fixed version for Ubuntu:20.04 gnupg2.

References

Out-of-bounds Write vulnerability report

low severity

Arbitrary Code Injection

Vulnerable module: shadow/login
Introduced through: shadow/login@1:4.8.1-1ubuntu5.20.04.5 and shadow/passwd@1:4.8.1-1ubuntu5.20.04.5

Detailed paths

Introduced through: buildpack-deps@focal-curl › shadow/login@1:4.8.1-1ubuntu5.20.04.5
Introduced through: buildpack-deps@focal-curl › shadow/passwd@1:4.8.1-1ubuntu5.20.04.5

NVD Description

In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.

Remediation

There is no fixed version for Ubuntu:20.04 shadow.

References

Arbitrary Code Injection vulnerability report

low severity

CVE-2023-45918

Vulnerable module: ncurses/libncurses6
Introduced through: ncurses/libncurses6@6.2-0ubuntu2.1, ncurses/libncursesw6@6.2-0ubuntu2.1 and others

Detailed paths

Introduced through: buildpack-deps@focal-curl › ncurses/libncurses6@6.2-0ubuntu2.1
Introduced through: buildpack-deps@focal-curl › ncurses/libncursesw6@6.2-0ubuntu2.1
Introduced through: buildpack-deps@focal-curl › ncurses/libtinfo6@6.2-0ubuntu2.1
Introduced through: buildpack-deps@focal-curl › ncurses/ncurses-base@6.2-0ubuntu2.1
Introduced through: buildpack-deps@focal-curl › ncurses/ncurses-bin@6.2-0ubuntu2.1

NVD Description

ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

Remediation

There is no fixed version for Ubuntu:20.04 ncurses.

References

CVE-2023-45918 vulnerability report

Vulnerabilities

Dependencies

Source

Target OS

medium severity

Open Redirect

Detailed paths

NVD Description

Remediation

References

medium severity

CVE-2020-22916

Detailed paths

NVD Description

Remediation

References

medium severity new

CVE-2024-2961

Detailed paths

NVD Description

Remediation

References

medium severity new

Information Exposure

Detailed paths

NVD Description

Remediation

References

medium severity

CVE-2024-26458

Detailed paths

NVD Description

Remediation

References

medium severity

CVE-2024-26461

Detailed paths

NVD Description

Remediation

References

medium severity

CVE-2024-26462

Detailed paths

NVD Description

Remediation

References

medium severity

Information Exposure

Detailed paths

NVD Description

Remediation

References

low severity

Use After Free

Detailed paths

NVD Description

Remediation

References

low severity

CVE-2023-26604

Detailed paths

NVD Description

Remediation

References

low severity

Allocation of Resources Without Limits or Throttling

Detailed paths

NVD Description

Remediation

References

low severity

Integer Overflow or Wraparound

Detailed paths

NVD Description

Remediation

References

low severity

Uncontrolled Recursion

Detailed paths

NVD Description

medium severity

new

medium severity

new