Vulnerabilities

10 via 20 paths

Dependencies

102

Source

Group 6 Copy Created with Sketch. Docker

Target OS

ubuntu:22.04
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 3
  • 7
Status
  • 10
  • 0
  • 0

medium severity
new

CVE-2022-42800

  • Vulnerable module: zlib/zlib1g
  • Introduced through: zlib/zlib1g@1:1.2.11.dfsg-2ubuntu9.2

Detailed paths

  • Introduced through: ubuntu@latest zlib/zlib1g@1:1.2.11.dfsg-2ubuntu9.2

NVD Description

Note: Versions mentioned in the description apply to the upstream zlib package.

This issue was addressed with improved checks. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, macOS Ventura 13, watchOS 9.1, iOS 16.1 and iPadOS 16, macOS Monterey 12.6.1, macOS Big Sur 11.7.1. A user may be able to cause unexpected app termination or arbitrary code execution.

Remediation

There is no fixed version for Ubuntu:22.04 zlib.

References

medium severity
new

Off-by-one Error

  • Vulnerable module: systemd/libsystemd0
  • Introduced through: systemd/libsystemd0@249.11-0ubuntu3.6 and systemd/libudev1@249.11-0ubuntu3.6

Detailed paths

  • Introduced through: ubuntu@latest systemd/libsystemd0@249.11-0ubuntu3.6
  • Introduced through: ubuntu@latest systemd/libudev1@249.11-0ubuntu3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd package.

An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.

Remediation

There is no fixed version for Ubuntu:22.04 systemd.

References

medium severity
new

CVE-2022-3715

  • Vulnerable module: bash
  • Introduced through: bash@5.1-6ubuntu1

Detailed paths

  • Introduced through: ubuntu@latest bash@5.1-6ubuntu1

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Ubuntu:22.04 bash.

References

low severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.35-0ubuntu3.1 and glibc/libc6@2.35-0ubuntu3.1

Detailed paths

  • Introduced through: ubuntu@latest glibc/libc-bin@2.35-0ubuntu3.1
  • Introduced through: ubuntu@latest glibc/libc6@2.35-0ubuntu3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package.

sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

Remediation

There is no fixed version for Ubuntu:22.04 glibc.

References

low severity

Integer Overflow or Wraparound

  • Vulnerable module: krb5/libgssapi-krb5-2
  • Introduced through: krb5/libgssapi-krb5-2@1.19.2-2, krb5/libk5crypto3@1.19.2-2 and others

Detailed paths

  • Introduced through: ubuntu@latest krb5/libgssapi-krb5-2@1.19.2-2
  • Introduced through: ubuntu@latest krb5/libk5crypto3@1.19.2-2
  • Introduced through: ubuntu@latest krb5/libkrb5-3@1.19.2-2
  • Introduced through: ubuntu@latest krb5/libkrb5support0@1.19.2-2

NVD Description

Note: Versions mentioned in the description apply to the upstream krb5 package.

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

Remediation

There is no fixed version for Ubuntu:22.04 krb5.

References

low severity

Uncontrolled Recursion

  • Vulnerable module: pcre3/libpcre3
  • Introduced through: pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1

Detailed paths

  • Introduced through: ubuntu@latest pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream pcre3 package.

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

Remediation

There is no fixed version for Ubuntu:22.04 pcre3.

References

low severity

Out-of-bounds Read

  • Vulnerable module: ncurses/libncurses6
  • Introduced through: ncurses/libncurses6@6.3-2, ncurses/libncursesw6@6.3-2 and others

Detailed paths

  • Introduced through: ubuntu@latest ncurses/libncurses6@6.3-2
  • Introduced through: ubuntu@latest ncurses/libncursesw6@6.3-2
  • Introduced through: ubuntu@latest ncurses/libtinfo6@6.3-2
  • Introduced through: ubuntu@latest ncurses/ncurses-base@6.3-2
  • Introduced through: ubuntu@latest ncurses/ncurses-bin@6.3-2

NVD Description

Note: Versions mentioned in the description apply to the upstream ncurses package.

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

Remediation

There is no fixed version for Ubuntu:22.04 ncurses.

References

low severity

Improper Input Validation

  • Vulnerable module: coreutils
  • Introduced through: coreutils@8.32-4.1ubuntu1

Detailed paths

  • Introduced through: ubuntu@latest coreutils@8.32-4.1ubuntu1

NVD Description

Note: Versions mentioned in the description apply to the upstream coreutils package.

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Ubuntu:22.04 coreutils.

References

low severity

Time-of-check Time-of-use (TOCTOU)

  • Vulnerable module: shadow/login
  • Introduced through: shadow/login@1:4.8.1-2ubuntu2 and shadow/passwd@1:4.8.1-2ubuntu2
  • Fixed in: 1:4.8.1-2ubuntu2.1

Detailed paths

  • Introduced through: ubuntu@latest shadow/login@1:4.8.1-2ubuntu2
  • Introduced through: ubuntu@latest shadow/passwd@1:4.8.1-2ubuntu2

NVD Description

Note: Versions mentioned in the description apply to the upstream shadow package. See How to fix? for Ubuntu:22.04 relevant versions.

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

Remediation

Upgrade Ubuntu:22.04 shadow to version 1:4.8.1-2ubuntu2.1 or higher.

References

low severity

CVE-2022-3219

  • Vulnerable module: gnupg2/gpgv
  • Introduced through: gnupg2/gpgv@2.2.27-3ubuntu2.1

Detailed paths

  • Introduced through: ubuntu@latest gnupg2/gpgv@2.2.27-3ubuntu2.1

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Ubuntu:22.04 gnupg2.

References