Docker fluent/fluentd:v1.3.3-onbuild-1.0

Vulnerabilities

13 via 62 paths

Dependencies

26

Source

Group 6 Copy Created with Sketch. Docker

Target OS

alpine:3.8.2
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 9
  • 4
Status
  • 13
  • 0
  • 0

high severity

Out-of-bounds Write

  • Vulnerable module: musl/musl
  • Introduced through: musl/musl@1.1.19-r10 and musl/musl-utils@1.1.19-r10
  • Fixed in: 1.1.19-r11

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* musl/musl@1.1.19-r10
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* musl/musl-utils@1.1.19-r10

NVD Description

Note: Versions mentioned in the description apply to the upstream musl package. See Remediation section below for Alpine:3.8 relevant versions.

musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.

Remediation

Upgrade Alpine:3.8 musl to version 1.1.19-r11 or higher.

References

high severity

Arbitrary Argument Injection

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.5-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.5-r0 or higher.

References

high severity

Arbitrary Code Injection

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.5-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.5-r0 or higher.

References

high severity

Arbitrary Code Injection

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.5-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.5-r0 or higher.

References

high severity

Arbitrary Code Injection

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.5-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.5-r0 or higher.

References

high severity

Arbitrary Code Injection

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.5-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.5-r0 or higher.

References

high severity

Arbitrary Code Injection

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.7-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.7-r0 or higher.

References

high severity

Directory Traversal

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.5-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.5-r0 or higher.

References

high severity

Improper Authentication

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.7-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.7-r0 or higher.

References

medium severity

Arbitrary Code Injection

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.7-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.7-r0 or higher.

References

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.8-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.'

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.8-r0 or higher.

References

medium severity

CVE-2019-15845

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.7-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.7-r0 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: ruby/ruby
  • Introduced through: ruby/ruby@2.5.2-r0, ruby/ruby-etc@2.5.2-r0 and others
  • Fixed in: 2.5.8-r0

Detailed paths

  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-etc@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-irb@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-libs@2.5.2-r0
  • Introduced through: fluent/fluentd:v1.3.3-onbuild-1.0@* ruby/ruby-webrick@2.5.2-r0

NVD Description

Note: Versions mentioned in the description apply to the upstream ruby package. See Remediation section below for Alpine:3.8 relevant versions.

An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.

Remediation

Upgrade Alpine:3.8 ruby to version 2.5.8-r0 or higher.

References