diff --git a/docs/content/supported_tools/parsers/file/zora.md b/docs/content/supported_tools/parsers/file/zora.md new file mode 100644 index 00000000000..3403c082f63 --- /dev/null +++ b/docs/content/supported_tools/parsers/file/zora.md @@ -0,0 +1,9 @@ + +--- +title: "Zora Parser" +toc_hide: true +--- +Zora scan results can be exported from the [Zora platform](https://github.com/undistro/zora) + +### Sample Scan Data +Zora scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/zora). \ No newline at end of file diff --git a/dojo/tools/zora/__init__.py b/dojo/tools/zora/__init__.py new file mode 100644 index 00000000000..3ad798a42b3 --- /dev/null +++ b/dojo/tools/zora/__init__.py @@ -0,0 +1 @@ +__author__ = "manuel-sommer" diff --git a/dojo/tools/zora/parser.py b/dojo/tools/zora/parser.py new file mode 100644 index 00000000000..eee4cf9dfd0 --- /dev/null +++ b/dojo/tools/zora/parser.py @@ -0,0 +1,67 @@ + +import csv +import io + +from dojo.models import Finding, Test + + +class ZoraParser: + + """Parser for Zora combined CSV export.""" + + def get_scan_types(self): + return ["Zora Parser"] + + def get_label_for_scan_types(self, scan_type): + return "Zora Parser" + + def get_description_for_scan_types(self, scan_type): + return "Zora Parser scan results in csv file format." + + def get_findings(self, content, test: Test) -> list[Finding]: + findings = [] + if hasattr(content, "read"): + content = content.read() + if isinstance(content, bytes): + content = content.decode("utf-8") + csv_reader = csv.DictReader(io.StringIO(content), delimiter=",", quotechar='"') + for row in csv_reader: + title = row.get("title") + raw_severity = (row.get("severity") or "").strip().lower() + severity_map = { + "info": "Info", + "informational": "Info", + "low": "Low", + "medium": "Medium", + "med": "Medium", + "high": "High", + "critical": "Critical", + "crit": "Critical", + } + severity = severity_map.get(raw_severity, "Info") + description = f"**Source**: {row.get('source')}\n" + description += f"**Image**: {row.get('image')}\n" + description += f"**ID**: {row.get('id')}\n" + description += f"**Details**: {row.get('description')}\n" + if row.get("fixVersion"): + description += f"**Fix Version**: {row.get('fixVersion')}\n" + mitigation = row.get("description", "") + unique_id = f"{row.get('source')}-{row.get('image')}-{row.get('id')}" + status = row.get("status", "").upper() + is_mitigated = status in {"PASS", "OK", "FIXED"} + finding = Finding( + title=title, + description=description, + severity=severity, + mitigation=mitigation, + static_finding=False, + dynamic_finding=True, + unique_id_from_tool=unique_id, + test=test, + is_mitigated=is_mitigated, + ) + vuln_id = row.get("id") + if vuln_id: + finding.unsaved_vulnerability_ids = [vuln_id] + findings.append(finding) + return findings diff --git a/unittests/scans/zora/scan_empty.csv b/unittests/scans/zora/scan_empty.csv new file mode 100644 index 00000000000..15b75dc8149 --- /dev/null +++ b/unittests/scans/zora/scan_empty.csv @@ -0,0 +1 @@ +source,checkID,title,severity,status,remediation diff --git a/unittests/scans/zora/scan_many.csv b/unittests/scans/zora/scan_many.csv new file mode 100644 index 00000000000..e36dc0dd49e --- /dev/null +++ b/unittests/scans/zora/scan_many.csv @@ -0,0 +1,489 @@ +"source","image","id","title","severity","status","description","fixVersion" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-26519","musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write ...","UNKNOWN","fixed","musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.","1.2.5-r1" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2024-12797","openssl: RFC7250 handshakes with unauthenticated servers don't abort as expected","HIGH","fixed","Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a +server may fail to notice that the server was not authenticated, because +handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode +is set. + +Impact summary: TLS and DTLS connections using raw public keys may be +vulnerable to man-in-middle attacks when server authentication failure is not +detected by clients. + +RPKs are disabled by default in both TLS clients and TLS servers. The issue +only arises when TLS clients explicitly enable RPK use by the server, and the +server, likewise, enables sending of an RPK instead of an X.509 certificate +chain. The affected clients are those that then rely on the handshake to +fail when the server's RPK fails to match one of the expected public keys, +by setting the verification mode to SSL_VERIFY_PEER. + +Clients that enable server-side raw public keys can still find out that raw +public key verification failed by calling SSL_get_verify_result(), and those +that do, and take appropriate action, are not affected. This issue was +introduced in the initial implementation of RPK support in OpenSSL 3.2. + +The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","3.3.3-r0" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2024-13176","openssl: Timing side-channel in ECDSA signature computation","MEDIUM","fixed","Issue summary: A timing side-channel which could potentially allow recovering +the private key exists in the ECDSA signature computation. + +Impact summary: A timing side-channel in ECDSA signature computations +could allow recovering the private key by an attacker. However, measuring +the timing would require either local access to the signing application or +a very fast network connection with low latency. + +There is a timing signal of around 300 nanoseconds when the top word of +the inverted ECDSA nonce value is zero. This can happen with significant +probability only for some of the supported elliptic curves. In particular +the NIST P-521 curve is affected. To be able to measure this leak, the attacker +process must either be located in the same physical computer or must +have a very fast network connection with low latency. For that reason +the severity of this vulnerability is Low. + +The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.","3.3.2-r2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-9230","openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap","MEDIUM","fixed","Issue summary: An application trying to decrypt CMS messages encrypted using +password based encryption can trigger an out-of-bounds read and write. + +Impact summary: This out-of-bounds read may trigger a crash which leads to +Denial of Service for an application. The out-of-bounds write can cause +a memory corruption which can have various consequences including +a Denial of Service or Execution of attacker-supplied code. + +Although the consequences of a successful exploit of this vulnerability +could be severe, the probability that the attacker would be able to +perform it is low. Besides, password based (PWRI) encryption support in CMS +messages is very rarely used. For that reason the issue was assessed as +Moderate severity according to our Security Policy. + +The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this +issue, as the CMS implementation is outside the OpenSSL FIPS module +boundary.","3.3.5-r0" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-9231","openssl: Timing side-channel in SM2 algorithm on 64 bit ARM","MEDIUM","fixed","Issue summary: A timing side-channel which could potentially allow remote +recovery of the private key exists in the SM2 algorithm implementation on 64 bit +ARM platforms. + +Impact summary: A timing side-channel in SM2 signature computations on 64 bit +ARM platforms could allow recovering the private key by an attacker.. + +While remote key recovery over a network was not attempted by the reporter, +timing measurements revealed a timing signal which may allow such an attack. + +OpenSSL does not directly support certificates with SM2 keys in TLS, and so +this CVE is not relevant in most TLS contexts. However, given that it is +possible to add support for such certificates via a custom provider, coupled +with the fact that in such a custom provider context the private key may be +recoverable via remote timing measurements, we consider this to be a Moderate +severity issue. + +The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this +issue, as SM2 is not an approved algorithm.","3.3.5-r0" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-9232","openssl: Out-of-bounds read in HTTP client no_proxy handling","LOW","fixed","Issue summary: An application using the OpenSSL HTTP client API functions may +trigger an out-of-bounds read if the 'no_proxy' environment variable is set and +the host portion of the authority component of the HTTP URL is an IPv6 address. + +Impact summary: An out-of-bounds read can trigger a crash which leads to +Denial of Service for an application. + +The OpenSSL HTTP client API functions can be used directly by applications +but they are also used by the OCSP client functions and CMP (Certificate +Management Protocol) client implementation in OpenSSL. However the URLs used +by these implementations are unlikely to be controlled by an attacker. + +In this vulnerable code the out of bounds read can only trigger a crash. +Furthermore the vulnerability requires an attacker-controlled URL to be +passed from an application to the OpenSSL function and the user has to have +a 'no_proxy' environment variable set. For the aforementioned reasons the +issue was assessed as Low severity. + +The vulnerable code was introduced in the following patch releases: +3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. + +The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this +issue, as the HTTP client implementation is outside the OpenSSL FIPS module +boundary.","3.3.5-r0" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-32793","In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters","MEDIUM","fixed","Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium. This issue has been patched in versions 1.15.16, 1.16.9, and 1.17.3. There are no workarounds available for this issue.","1.15.16, 1.16.9, 1.17.3" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-22870","golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net","MEDIUM","fixed","Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to ""*.example.com"", a request to ""[::1%25.example.com]:80` will incorrectly match and not be proxied.","0.36.0" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-58183","golang: archive/tar: Unbounded allocation when parsing GNU sparse map","HIGH","fixed","tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-22866","crypto/internal/nistec: golang: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec","MEDIUM","fixed","Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.","1.22.12, 1.23.6, 1.24.0-rc.3" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-47912","net/url: Insufficient validation of bracketed IPv6 hostnames in net/url","MEDIUM","fixed","The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: ""http://[::1]/"". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-58185","encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1","MEDIUM","fixed","Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-58189","crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information","MEDIUM","fixed","When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-61725","net/mail: Excessive CPU consumption in ParseAddress in net/mail","MEDIUM","fixed","The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2024-45336","golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect","MEDIUM","fixed","The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.","1.22.11, 1.23.5, 1.24.0-rc.2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-23047","Cilium has an information leakage via insecure default Hubble UI CORS header","MEDIUM","fixed","Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An insecure default `Access-Control-Allow-Origin` header value could lead to sensitive data exposure for users of Cilium versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4 who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart. A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI is monitoring, including node names, IP addresses, and other metadata about workloads and the cluster networking configuration. In order for this vulnerability to be exploited, a victim would have to first visit a malicious page. This issue is fixed in Cilium v1.14.18, v1.15.12, and v1.16.5. As a workaround, users who deploy Hubble UI using the Cilium Helm chart directly can remove the CORS headers from the Helm template as shown in the patch from commit a3489f190ba6e87b5336ee685fb6c80b1270d06d.","1.14.19, 1.15.13, 1.16.6" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-22872","golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net","MEDIUM","fixed","The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).","0.38.0" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-22868","golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws","HIGH","fixed","An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.","0.27.0" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-47907","database/sql: Postgres Scan Race Condition","HIGH","fixed","Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.","1.23.12, 1.24.6" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-58187","Due to the design of the name constraint checking algorithm, the proce ...","HIGH","fixed","Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.","1.24.9, 1.25.3" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-0913","Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall","MEDIUM","fixed","os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.","1.23.10, 1.24.4" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-22871","net/http: Request smuggling due to acceptance of invalid chunked data in net/http","MEDIUM","fixed","The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.","1.23.8, 1.24.2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-23028","DoS in Cilium agent DNS proxy from crafted DNS responses","MEDIUM","fixed","Cilium is a networking, observability, and security solution with an eBPF-based dataplane. A denial of service vulnerability affects versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4. In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster. For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic as configured at the time of the DoS. For workloads that have DNS-based policy configured, existing connections may continue to operate, and new connections made without relying on DNS resolution may continue to be established, but new connections which rely on DNS resolution may be disrupted. Any configuration changes that affect the impacted agent may not be applied until the agent is able to restart. This issue is fixed in Cilium v1.14.18, v1.15.12, and v1.16.5. No known workarounds are available.","1.14.18, 1.15.12, 1.16.5" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-30162","cilium: East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers","LOW","fixed","Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.","1.16.8, 1.17.2, 1.15.15" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2024-45341","golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints","MEDIUM","fixed","A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.","1.22.11, 1.23.5, 1.24.0-rc.2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-4673","net/http: Sensitive headers not cleared on cross-origin redirect in net/http","MEDIUM","fixed","Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.","1.23.10, 1.24.4" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-47906","os/exec: Unexpected paths returned from LookPath in os/exec","MEDIUM","fixed","If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("""", ""."", and ""..""), can result in the binaries listed in the PATH being unexpectedly returned.","1.23.12, 1.24.6" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-61723","encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem","MEDIUM","fixed","The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-61724","net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto","MEDIUM","fixed","The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-30163","cilium: Node based network policies may incorrectly allow workload traffic","LOW","fixed","Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.","1.16.8" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-58186","Despite HTTP headers having a default limit of 1MB, the number of cook ...","HIGH","fixed","Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as ""a=;"", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-58188","Validating certificate chains which contain DSA public keys can cause ...","HIGH","fixed","Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-4947","libcurl: curl: QUIC certificate check skip with wolfSSL","MEDIUM","fixed","libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.","8.14.0-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-46835","git: Git GUI can create and overwrite files for which the user has write permission","LOW","fixed","Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.","2.45.4-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-0725","libcurl: Buffer Overflow in libcurl via zlib Integer Overflow","MEDIUM","fixed","When libcurl is asked to perform automatic gzip decompression of +content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, +**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would +make libcurl perform a buffer overflow.","8.12.0-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-5399","curl: libcurl: WebSocket endless loop","MEDIUM","fixed","Due to a mistake in libcurl's WebSocket code, a malicious server can send a +particularly crafted packet which makes libcurl get trapped in an endless +busy-loop. + +There is no other way for the application to escape or exit this loop other +than killing the thread/process. + +This might be used to DoS libcurl-using application.","8.14.1-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2024-8176","libexpat: expat: Improper Restriction of XML Entity Expansion Depth in libexpat","HIGH","fixed","A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.","2.7.0-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-26519","musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write ...","UNKNOWN","fixed","musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.","1.2.5-r1" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-9230","openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap","MEDIUM","fixed","Issue summary: An application trying to decrypt CMS messages encrypted using +password based encryption can trigger an out-of-bounds read and write. + +Impact summary: This out-of-bounds read may trigger a crash which leads to +Denial of Service for an application. The out-of-bounds write can cause +a memory corruption which can have various consequences including +a Denial of Service or Execution of attacker-supplied code. + +Although the consequences of a successful exploit of this vulnerability +could be severe, the probability that the attacker would be able to +perform it is low. Besides, password based (PWRI) encryption support in CMS +messages is very rarely used. For that reason the issue was assessed as +Moderate severity according to our Security Policy. + +The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this +issue, as the CMS implementation is outside the OpenSSL FIPS module +boundary.","3.3.5-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-46334","","HIGH","fixed","Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.","2.45.4-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2024-52006","git: Newline confusion in credential helpers can lead to credential exfiltration in git","MEDIUM","fixed","Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.","2.45.3-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-27614","gitk: git script execution flaw","MEDIUM","fixed","Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.","2.45.4-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-48386","git: Git buffer overflow","MEDIUM","fixed","Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.","2.45.4-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2024-13176","openssl: Timing side-channel in ECDSA signature computation","MEDIUM","fixed","Issue summary: A timing side-channel which could potentially allow recovering +the private key exists in the ECDSA signature computation. + +Impact summary: A timing side-channel in ECDSA signature computations +could allow recovering the private key by an attacker. However, measuring +the timing would require either local access to the signing application or +a very fast network connection with low latency. + +There is a timing signal of around 300 nanoseconds when the top word of +the inverted ECDSA nonce value is zero. This can happen with significant +probability only for some of the supported elliptic curves. In particular +the NIST P-521 curve is affected. To be able to measure this leak, the attacker +process must either be located in the same physical computer or must +have a very fast network connection with low latency. For that reason +the severity of this vulnerability is Low. + +The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.","3.3.2-r2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2024-11053","curl: curl netrc password leak","MEDIUM","fixed","When asked to both use a `.netrc` file for credentials and to follow HTTP +redirects, curl could leak the password used for the first host to the +followed-to host under certain circumstances. + +This flaw only manifests itself if the netrc file has an entry that matches +the redirect target hostname but the entry either omits just the password or +omits both login and password.","8.11.1-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-0665","libcurl: Double Close of Eventfd in libcurl","MEDIUM","fixed","libcurl would wrongly close the same eventfd file descriptor twice when taking +down a connection channel after having completed a threaded name resolve.","8.12.0-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-27613","gitk: Git file creation flaw","MEDIUM","fixed","Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.","2.45.4-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2024-50349","git: Git does not sanitize URLs when asking for credentials interactively","LOW","fixed","Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.","2.45.3-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-9232","openssl: Out-of-bounds read in HTTP client no_proxy handling","LOW","fixed","Issue summary: An application using the OpenSSL HTTP client API functions may +trigger an out-of-bounds read if the 'no_proxy' environment variable is set and +the host portion of the authority component of the HTTP URL is an IPv6 address. + +Impact summary: An out-of-bounds read can trigger a crash which leads to +Denial of Service for an application. + +The OpenSSL HTTP client API functions can be used directly by applications +but they are also used by the OCSP client functions and CMP (Certificate +Management Protocol) client implementation in OpenSSL. However the URLs used +by these implementations are unlikely to be controlled by an attacker. + +In this vulnerable code the out of bounds read can only trigger a crash. +Furthermore the vulnerability requires an attacker-controlled URL to be +passed from an application to the OpenSSL function and the user has to have +a 'no_proxy' environment variable set. For the aforementioned reasons the +issue was assessed as Low severity. + +The vulnerable code was introduced in the following patch releases: +3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. + +The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this +issue, as the HTTP client implementation is outside the OpenSSL FIPS module +boundary.","3.3.5-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-10148","curl: predictable WebSocket mask","MEDIUM","fixed","curl's websocket code did not update the 32 bit mask pattern for each new + outgoing frame as the specification says. Instead it used a fixed mask that +persisted and was used throughout the entire connection. + +A predictable mask pattern allows for a malicious server to induce traffic +between the two communicating parties that could be interpreted by an involved +proxy (configured or transparent) as genuine, real, HTTP traffic with content +and thereby poison its cache. That cached poisoned content could then be +served to all users of that proxy.","8.14.1-r2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-5025","curl: libcurl: QUIC Certificate Pinning Bypass","MEDIUM","fixed","libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.","8.14.0-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-9086","curl: libcurl: Curl out of bounds read for cookie path","MEDIUM","fixed","1. A cookie is set using the `secure` keyword for `https://target` +2. curl is redirected to or otherwise made to speak with `http://target` (same + hostname, but using clear text HTTP) using the same cookie set +3. The same cookie name is set - but with just a slash as path (`path='/'`). + Since this site is not secure, the cookie *should* just be ignored. +4. A bug in the path comparison logic makes curl read outside a heap buffer + boundary + +The bug either causes a crash or it potentially makes the comparison come to +the wrong conclusion and lets the clear-text site override the contents of the +secure cookie, contrary to expectations and depending on the memory contents +immediately following the single-byte allocation that holds the path. + +The presumed and correct behavior would be to plainly ignore the second set of +the cookie since it was already set as secure on a secure host so overriding +it on an insecure host should not be okay.","8.14.1-r2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-0167","When asked to use a `.netrc` file for credentials **and** to follow HT ...","LOW","fixed","When asked to use a `.netrc` file for credentials **and** to follow HTTP +redirects, curl could leak the password used for the first host to the +followed-to host under certain circumstances. + +This flaw only manifests itself if the netrc file has a `default` entry that +omits both login and password. A rare circumstance.","8.12.0-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-59375","expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing","MEDIUM","fixed","libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.","2.7.2-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-9231","openssl: Timing side-channel in SM2 algorithm on 64 bit ARM","MEDIUM","fixed","Issue summary: A timing side-channel which could potentially allow remote +recovery of the private key exists in the SM2 algorithm implementation on 64 bit +ARM platforms. + +Impact summary: A timing side-channel in SM2 signature computations on 64 bit +ARM platforms could allow recovering the private key by an attacker.. + +While remote key recovery over a network was not attempted by the reporter, +timing measurements revealed a timing signal which may allow such an attack. + +OpenSSL does not directly support certificates with SM2 keys in TLS, and so +this CVE is not relevant in most TLS contexts. However, given that it is +possible to add support for such certificates via a custom provider, coupled +with the fact that in such a custom provider context the private key may be +recoverable via remote timing measurements, we consider this to be a Moderate +severity issue. + +The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this +issue, as SM2 is not an approved algorithm.","3.3.5-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-48384","git: Git arbitrary code execution","HIGH","fixed","Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.","2.45.4-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-48385","git: Git arbitrary file writes","HIGH","fixed","Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.","2.45.4-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2024-12797","openssl: RFC7250 handshakes with unauthenticated servers don't abort as expected","HIGH","fixed","Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a +server may fail to notice that the server was not authenticated, because +handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode +is set. + +Impact summary: TLS and DTLS connections using raw public keys may be +vulnerable to man-in-middle attacks when server authentication failure is not +detected by clients. + +RPKs are disabled by default in both TLS clients and TLS servers. The issue +only arises when TLS clients explicitly enable RPK use by the server, and the +server, likewise, enables sending of an RPK instead of an X.509 certificate +chain. The affected clients are those that then rely on the handshake to +fail when the server's RPK fails to match one of the expected public keys, +by setting the verification mode to SSL_VERIFY_PEER. + +Clients that enable server-side raw public keys can still find out that raw +public key verification failed by calling SSL_get_verify_result(), and those +that do, and take appropriate action, are not affected. This issue was +introduced in the initial implementation of RPK support in OpenSSL 3.2. + +The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","3.3.3-r0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-22872","golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net","MEDIUM","fixed","The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).","0.38.0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-47912","net/url: Insufficient validation of bracketed IPv6 hostnames in net/url","MEDIUM","fixed","The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: ""http://[::1]/"". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-61723","encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem","MEDIUM","fixed","The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-61725","net/mail: Excessive CPU consumption in ParseAddress in net/mail","MEDIUM","fixed","The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-46569","github.com/open-policy-agent/opa/server: github.com/open-policy-agent/opa/v1/server: OPA server Data API HTTP path injection of Rego","HIGH","fixed","Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA’s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons.","1.4.0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-58058","github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory","MEDIUM","fixed","xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.","0.5.15" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-32387","helm.sh/helm/v3: Helm Allows A Specially Crafted JSON Schema To Cause A Stack Overflow","MEDIUM","fixed","Helm is a package manager for Charts for Kubernetes. A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. This issue has been resolved in Helm v3.17.3.","3.17.3" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-47906","os/exec: Unexpected paths returned from LookPath in os/exec","MEDIUM","fixed","If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("""", ""."", and ""..""), can result in the binaries listed in the PATH being unexpectedly returned.","1.23.12, 1.24.6" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-58185","encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1","MEDIUM","fixed","Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-32386","helm.sh/helm/v3: Helm Allows A Specially Crafted Chart Archive To Cause Out Of Memory Termination","MEDIUM","fixed","Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to terminate. This issue has been resolved in Helm v3.17.3.","3.17.3" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2024-45341","golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints","MEDIUM","fixed","A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.","1.22.11, 1.23.5, 1.24.0-rc.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-22871","net/http: Request smuggling due to acceptance of invalid chunked data in net/http","MEDIUM","fixed","The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.","1.23.8, 1.24.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-61724","net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto","MEDIUM","fixed","The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2024-25621","containerd is an open-source container runtime. Versions 0.1.0 through ...","HIGH","fixed","containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.","1.7.29" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-21614","go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies","HIGH","fixed","go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.","5.13.0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2024-45336","golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect","MEDIUM","fixed","The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.","1.22.11, 1.23.5, 1.24.0-rc.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-0913","Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall","MEDIUM","fixed","os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.","1.23.10, 1.24.4" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-8556","github.com/cloudflare/circl: CIRCL-Fourq: Missing and wrong validation can lead to incorrect results","LOW","fixed","A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.","1.6.1" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-21613","go-git: argument injection via the URL field","CRITICAL","fixed","go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.","5.13.0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-22869","golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh","HIGH","fixed","SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.","0.35.0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-58181","SSH servers parsing GSSAPI authentication requests do not validate the ...","MEDIUM","fixed","SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.","0.45.0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-22868","golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws","HIGH","fixed","An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.","0.27.0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-55198","helm.sh/helm/v3: Helm YAML Parsing Panic Vulnerability","MEDIUM","fixed","Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, when parsing Chart.yaml and index.yaml files, an improper validation of type error can lead to a panic. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring YAML files are formatted as Helm expects prior to processing them with Helm.","3.18.5" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-47907","database/sql: Postgres Scan Race Condition","HIGH","fixed","Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.","1.23.12, 1.24.6" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-58189","crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information","MEDIUM","fixed","When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2024-45337","golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto","CRITICAL","fixed","Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that ""A call to this function does not guarantee that the key offered is in fact used to authenticate."" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.","0.31.0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-58183","golang: archive/tar: Unbounded allocation when parsing GNU sparse map","HIGH","fixed","tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-58186","Despite HTTP headers having a default limit of 1MB, the number of cook ...","HIGH","fixed","Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as ""a=;"", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-58187","Due to the design of the name constraint checking algorithm, the proce ...","HIGH","fixed","Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.","1.24.9, 1.25.3" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2024-40635","containerd: containerd has an integer overflow in User ID handling","MEDIUM","fixed","containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.","1.7.27, 1.6.38" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-64329","containerd is an open-source container runtime. Versions 1.7.28 and be ...","MEDIUM","fixed","containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.","1.7.29" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-47914","SSH Agent servers do not validate the size of messages when processing ...","MEDIUM","fixed","SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.","0.45.0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-53547","helm.sh/helm/v3: Helm Chart Code Execution","HIGH","fixed","Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.","3.18.4, 3.17.4" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-55199","helm.sh/helm/v3: Helm Chart JSON Schema Denial of Service","MEDIUM","fixed","Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.","3.18.5" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-58188","Validating certificate chains which contain DSA public keys can cause ...","HIGH","fixed","Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.","1.24.8, 1.25.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-4673","net/http: Sensitive headers not cleared on cross-origin redirect in net/http","MEDIUM","fixed","Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.","1.23.10, 1.24.4" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-54410","github.com/moby/moby: Moby's Firewalld reload removes bridge network isolation","LOW","fixed","Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fails to re-create iptables rules that isolate bridge networks, allowing any container to access all ports on any other container across different bridge networks on the same host. This breaks network segmentation between containers that should be isolated, creating significant risk in multi-tenant environments. Only containers in --internal networks remain protected. +Workarounds include reloading firewalld and either restarting the docker daemon, re-creating bridge networks, or using rootless mode. Maintainers anticipate a fix for this issue in version 25.0.13.","28.0.0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-30204","golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing","HIGH","fixed","golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.","4.5.2" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-8959","github.com/hashicorp/go-getter: HashiCorp go-getter Arbitrary File Read","HIGH","fixed","HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.","1.7.9" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-52881","runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects","HIGH","fixed","runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.","1.13.0" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-22866","crypto/internal/nistec: golang: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec","MEDIUM","fixed","Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.","1.22.12, 1.23.6, 1.24.0-rc.3" +"Trivy","ghcr.io/undistro/trivy:0.57","CVE-2025-22870","golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net","MEDIUM","fixed","Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to ""*.example.com"", a request to ""[::1%25.example.com]:80` will incorrectly match and not be proxied.","0.36.0" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-58187","Due to the design of the name constraint checking algorithm, the proce ...","HIGH","fixed","Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.","1.24.9, 1.25.3" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-58185","encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1","MEDIUM","fixed","Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-61725","net/mail: Excessive CPU consumption in ParseAddress in net/mail","MEDIUM","fixed","The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2023-28452","CoreDNS vulnerable to TuDoor Attacks","HIGH","fixed","An issue was discovered in CoreDNS through 1.10.1. There is a vulnerability in DNS resolving software, which triggers a resolver to ignore valid responses, thus causing denial of service for normal resolution. In an exploit, the attacker could just forge a response targeting the source port of a vulnerable resolver without the need to guess the correct TXID.","1.11.0" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-0913","Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall","MEDIUM","fixed","os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.","1.23.10, 1.24.4" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-4673","net/http: Sensitive headers not cleared on cross-origin redirect in net/http","MEDIUM","fixed","Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.","1.23.10, 1.24.4" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-58189","crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information","MEDIUM","fixed","When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2022-2837","coreDNS: DNS Redirection of Top-Level Domains","MEDIUM","affected","A flaw was found in coreDNS. This flaw allows a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD.","N/A" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2024-0874","coredns: CD bit response is cached and served later","MEDIUM","fixed","A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.","1.11.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","GHSA-gv9j-4w24-q7vx","Improper random number generation in github.com/coredns/coredns","MEDIUM","fixed","### Impact + +CoreDNS before 1.6.6 (using go DNS package < 1.1.25) improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries. + +### Patches +The problem has been fixed in 1.6.6+. + +### References +- [CVE-2019-19794](https://nvd.nist.gov/vuln/detail/CVE-2019-19794) + +### For more information +Please consult [our security guide](https://github.com/coredns/coredns/blob/master/.github/SECURITY.md) for more information regarding our security process. +","1.6.6" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-59530","github.com/quic-go/quic-go: quic-go Crash Due to Premature HANDSHAKE_DONE Frame","HIGH","fixed","quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.","0.49.1, 0.54.1" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-22872","golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net","MEDIUM","fixed","The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).","0.38.0" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-58186","Despite HTTP headers having a default limit of 1MB, the number of cook ...","HIGH","fixed","Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as ""a=;"", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-58188","Validating certificate chains which contain DSA public keys can cause ...","HIGH","fixed","Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-22871","net/http: Request smuggling due to acceptance of invalid chunked data in net/http","MEDIUM","fixed","The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.","1.23.8, 1.24.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-47950","coredns: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification","HIGH","fixed","CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies.","1.12.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-47914","SSH Agent servers do not validate the size of messages when processing ...","MEDIUM","fixed","SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.","0.45.0" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-22874","crypto/x509: Usage of ExtKeyUsageAny disables policy validation in crypto/x509","HIGH","fixed","Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.","1.24.4" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-47906","os/exec: Unexpected paths returned from LookPath in os/exec","MEDIUM","fixed","If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("""", ""."", and ""..""), can result in the binaries listed in the PATH being unexpectedly returned.","1.23.12, 1.24.6" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-47912","net/url: Insufficient validation of bracketed IPv6 hostnames in net/url","MEDIUM","fixed","The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: ""http://[::1]/"". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-61723","encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem","MEDIUM","fixed","The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-61724","net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto","MEDIUM","fixed","The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-47907","database/sql: Postgres Scan Race Condition","HIGH","fixed","Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.","1.23.12, 1.24.6" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-58183","golang: archive/tar: Unbounded allocation when parsing GNU sparse map","HIGH","fixed","tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2022-2835","coreDNS: DNS Redirection of Internal Services","MEDIUM","affected","A flaw was found in coreDNS. This flaw allows a malicious user to reroute internal calls to some internal services that were accessed by the FQDN in a format of ..svc.","N/A" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2023-30464","CoreDNS Cache Poisoning via a birthday attack","MEDIUM","affected","CoreDNS through 1.10.1 enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack.","N/A" +"Trivy","registry.k8s.io/coredns/coredns:v1.12.1","CVE-2025-58181","SSH servers parsing GSSAPI authentication requests do not validate the ...","MEDIUM","fixed","SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.","0.45.0" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-47914","SSH Agent servers do not validate the size of messages when processing ...","MEDIUM","fixed","SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.","0.45.0" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-58181","SSH servers parsing GSSAPI authentication requests do not validate the ...","MEDIUM","fixed","SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.","0.45.0" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-47907","database/sql: Postgres Scan Race Condition","HIGH","fixed","Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.","1.23.12, 1.24.6" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-58183","golang: archive/tar: Unbounded allocation when parsing GNU sparse map","HIGH","fixed","tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-58187","Due to the design of the name constraint checking algorithm, the proce ...","HIGH","fixed","Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.","1.24.9, 1.25.3" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-58188","Validating certificate chains which contain DSA public keys can cause ...","HIGH","fixed","Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-47906","os/exec: Unexpected paths returned from LookPath in os/exec","MEDIUM","fixed","If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("""", ""."", and ""..""), can result in the binaries listed in the PATH being unexpectedly returned.","1.23.12, 1.24.6" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-47912","net/url: Insufficient validation of bracketed IPv6 hostnames in net/url","MEDIUM","fixed","The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: ""http://[::1]/"". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-58186","Despite HTTP headers having a default limit of 1MB, the number of cook ...","HIGH","fixed","Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as ""a=;"", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-58185","encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1","MEDIUM","fixed","Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-58189","crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information","MEDIUM","fixed","When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-61723","encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem","MEDIUM","fixed","The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-61724","net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto","MEDIUM","fixed","The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/etcd:3.6.4-0","CVE-2025-61725","net/mail: Excessive CPU consumption in ParseAddress in net/mail","MEDIUM","fixed","The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-apiserver:v1.34.0","CVE-2025-58183","golang: archive/tar: Unbounded allocation when parsing GNU sparse map","HIGH","fixed","tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-apiserver:v1.34.0","CVE-2025-58186","Despite HTTP headers having a default limit of 1MB, the number of cook ...","HIGH","fixed","Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as ""a=;"", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-apiserver:v1.34.0","CVE-2025-58188","Validating certificate chains which contain DSA public keys can cause ...","HIGH","fixed","Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-apiserver:v1.34.0","CVE-2025-47912","net/url: Insufficient validation of bracketed IPv6 hostnames in net/url","MEDIUM","fixed","The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: ""http://[::1]/"". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-apiserver:v1.34.0","CVE-2025-58185","encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1","MEDIUM","fixed","Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-apiserver:v1.34.0","CVE-2025-58189","crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information","MEDIUM","fixed","When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-apiserver:v1.34.0","CVE-2025-61724","net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto","MEDIUM","fixed","The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-apiserver:v1.34.0","CVE-2025-58187","Due to the design of the name constraint checking algorithm, the proce ...","HIGH","fixed","Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.","1.24.9, 1.25.3" +"Trivy","registry.k8s.io/kube-apiserver:v1.34.0","CVE-2025-61723","encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem","MEDIUM","fixed","The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-apiserver:v1.34.0","CVE-2025-61725","net/mail: Excessive CPU consumption in ParseAddress in net/mail","MEDIUM","fixed","The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-controller-manager:v1.34.0","CVE-2025-58189","crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information","MEDIUM","fixed","When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-controller-manager:v1.34.0","CVE-2025-61723","encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem","MEDIUM","fixed","The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-controller-manager:v1.34.0","CVE-2025-61725","net/mail: Excessive CPU consumption in ParseAddress in net/mail","MEDIUM","fixed","The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-controller-manager:v1.34.0","CVE-2025-58186","Despite HTTP headers having a default limit of 1MB, the number of cook ...","HIGH","fixed","Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as ""a=;"", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-controller-manager:v1.34.0","CVE-2025-58188","Validating certificate chains which contain DSA public keys can cause ...","HIGH","fixed","Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-controller-manager:v1.34.0","CVE-2025-58185","encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1","MEDIUM","fixed","Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-controller-manager:v1.34.0","CVE-2025-61724","net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto","MEDIUM","fixed","The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-controller-manager:v1.34.0","CVE-2025-58183","golang: archive/tar: Unbounded allocation when parsing GNU sparse map","HIGH","fixed","tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-controller-manager:v1.34.0","CVE-2025-58187","Due to the design of the name constraint checking algorithm, the proce ...","HIGH","fixed","Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.","1.24.9, 1.25.3" +"Trivy","registry.k8s.io/kube-controller-manager:v1.34.0","CVE-2025-47912","net/url: Insufficient validation of bracketed IPv6 hostnames in net/url","MEDIUM","fixed","The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: ""http://[::1]/"". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-5278","coreutils: Heap Buffer Under-Read in GNU Coreutils sort via Key Specification","LOW","affected","A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2012-2663","iptables: --syn flag bypass","LOW","affected","extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-4802","glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH","HIGH","fixed","Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).","2.36-9+deb12u11" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2010-4756","glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions","LOW","affected","The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2018-20796","glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c","LOW","affected","In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep.","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2019-1010024","glibc: ASLR bypass using cache of thread stack and heap","LOW","affected","GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate ""this is being treated as a non-security bug and no real threat.","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2020-36325","jansson: out-of-bounds read in json_loads() due to a parsing error","LOW","affected","An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2016-2781","coreutils: Non-privileged session can escape to the parent session in chroot","LOW","will_not_fix","chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-8058","glibc: Double free in glibc","MEDIUM","fixed","The regcomp function in the GNU C library version from 2.4 to 2.41 is +subject to a double free if some previous allocation fails. It can be +accomplished either by a malloc failure or by using an interposed malloc + that injects random malloc failures. The double free can allow buffer +manipulation depending of how the regex is constructed. This issue +affects all architectures and ABIs supported by the GNU C library.","2.36-9+deb12u13" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2019-1010022","glibc: stack guard protection bypass","LOW","affected","GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate ""this is being treated as a non-security bug and no real threat.","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2019-9192","glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c","LOW","affected","In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\1\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-27587","OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable ...","LOW","affected","OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack, exploitable by measuring the time of signing of random messages using the EVP_DigestSign API, and then using the private key to extract the K value (nonce) from the signatures. Next, based on the bit size of the extracted nonce, one can compare the signing time of full-sized nonces to signatures that used smaller nonces, via statistical tests. There is a side-channel in the P-364 curve that allows private key extraction (also, there is a dependency between the bit size of K and the size of the side channel). NOTE: This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-9232","openssl: Out-of-bounds read in HTTP client no_proxy handling","LOW","fixed","Issue summary: An application using the OpenSSL HTTP client API functions may +trigger an out-of-bounds read if the 'no_proxy' environment variable is set and +the host portion of the authority component of the HTTP URL is an IPv6 address. + +Impact summary: An out-of-bounds read can trigger a crash which leads to +Denial of Service for an application. + +The OpenSSL HTTP client API functions can be used directly by applications +but they are also used by the OCSP client functions and CMP (Certificate +Management Protocol) client implementation in OpenSSL. However the URLs used +by these implementations are unlikely to be controlled by an attacker. + +In this vulnerable code the out of bounds read can only trigger a crash. +Furthermore the vulnerability requires an attacker-controlled URL to be +passed from an application to the OpenSSL function and the user has to have +a 'no_proxy' environment variable set. For the aforementioned reasons the +issue was assessed as Low severity. + +The vulnerable code was introduced in the following patch releases: +3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. + +The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this +issue, as the HTTP client implementation is outside the OpenSSL FIPS module +boundary.","3.0.17-1~deb12u3" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2019-1010023","glibc: running ldd on malicious ELF leads to code execution because of wrong size computation","LOW","affected","GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate ""this is being treated as a non-security bug and no real threat.","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2017-18018","coreutils: race condition vulnerability in chown and chgrp","LOW","affected","In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX ""-R -L"" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2019-1010025","glibc: information disclosure of heap addresses of pthread_created thread","LOW","affected","GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is ""ASLR bypass itself is not a vulnerability.","N/A" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-9230","openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap","MEDIUM","fixed","Issue summary: An application trying to decrypt CMS messages encrypted using +password based encryption can trigger an out-of-bounds read and write. + +Impact summary: This out-of-bounds read may trigger a crash which leads to +Denial of Service for an application. The out-of-bounds write can cause +a memory corruption which can have various consequences including +a Denial of Service or Execution of attacker-supplied code. + +Although the consequences of a successful exploit of this vulnerability +could be severe, the probability that the attacker would be able to +perform it is low. Besides, password based (PWRI) encryption support in CMS +messages is very rarely used. For that reason the issue was assessed as +Moderate severity according to our Security Policy. + +The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this +issue, as the CMS implementation is outside the OpenSSL FIPS module +boundary.","3.0.17-1~deb12u3" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-58188","Validating certificate chains which contain DSA public keys can cause ...","HIGH","fixed","Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-47912","net/url: Insufficient validation of bracketed IPv6 hostnames in net/url","MEDIUM","fixed","The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: ""http://[::1]/"". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-58185","encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1","MEDIUM","fixed","Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-61724","net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto","MEDIUM","fixed","The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-58186","Despite HTTP headers having a default limit of 1MB, the number of cook ...","HIGH","fixed","Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as ""a=;"", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-58187","Due to the design of the name constraint checking algorithm, the proce ...","HIGH","fixed","Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.","1.24.9, 1.25.3" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-58189","crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information","MEDIUM","fixed","When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-61723","encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem","MEDIUM","fixed","The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-61725","net/mail: Excessive CPU consumption in ParseAddress in net/mail","MEDIUM","fixed","The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-proxy:v1.34.0","CVE-2025-58183","golang: archive/tar: Unbounded allocation when parsing GNU sparse map","HIGH","fixed","tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-scheduler:v1.34.0","CVE-2025-58189","crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information","MEDIUM","fixed","When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-scheduler:v1.34.0","CVE-2025-61723","encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem","MEDIUM","fixed","The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-scheduler:v1.34.0","CVE-2025-61724","net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto","MEDIUM","fixed","The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-scheduler:v1.34.0","CVE-2025-61725","net/mail: Excessive CPU consumption in ParseAddress in net/mail","MEDIUM","fixed","The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-scheduler:v1.34.0","CVE-2025-58188","Validating certificate chains which contain DSA public keys can cause ...","HIGH","fixed","Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-scheduler:v1.34.0","CVE-2025-47912","net/url: Insufficient validation of bracketed IPv6 hostnames in net/url","MEDIUM","fixed","The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: ""http://[::1]/"". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-scheduler:v1.34.0","CVE-2025-58183","golang: archive/tar: Unbounded allocation when parsing GNU sparse map","HIGH","fixed","tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-scheduler:v1.34.0","CVE-2025-58186","Despite HTTP headers having a default limit of 1MB, the number of cook ...","HIGH","fixed","Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as ""a=;"", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.","1.24.8, 1.25.2" +"Trivy","registry.k8s.io/kube-scheduler:v1.34.0","CVE-2025-58187","Due to the design of the name constraint checking algorithm, the proce ...","HIGH","fixed","Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.","1.24.9, 1.25.3" +"Trivy","registry.k8s.io/kube-scheduler:v1.34.0","CVE-2025-58185","encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1","MEDIUM","fixed","Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.","1.24.8, 1.25.2" diff --git a/unittests/tools/test_zora_parser.py b/unittests/tools/test_zora_parser.py new file mode 100644 index 00000000000..48978a31578 --- /dev/null +++ b/unittests/tools/test_zora_parser.py @@ -0,0 +1,26 @@ +from dojo.models import Test +from dojo.tools.zora.parser import ZoraParser +from unittests.dojo_test_case import DojoTestCase, get_unit_tests_scans_path + + +class TestZoraParser(DojoTestCase): + + def test_parse_file_with_no_vuln_has_no_finding(self): + with (get_unit_tests_scans_path("zora") / "scan_empty.csv").open(encoding="utf-8") as testfile: + content = testfile.read() # Read raw content + parser = ZoraParser() + findings = parser.get_findings(content, Test()) + self.assertEqual(0, len(findings)) + + def test_parse_file_with_many_vuln_has_many_findings(self): + with (get_unit_tests_scans_path("zora") / "scan_many.csv").open(encoding="utf-8") as testfile: + content = testfile.read() # Read raw content + parser = ZoraParser() + findings = parser.get_findings(content, Test()) + self.assertEqual(198, len(findings)) # Adjust based on your test file + # Check a specific finding for correctness + finding = findings[10] + self.assertEqual("net/url: Insufficient validation of bracketed IPv6 hostnames in net/url", finding.title) + self.assertEqual("Medium", finding.severity) + self.assertTrue(finding.unique_id_from_tool.startswith(f"{finding.description.splitlines()[0].split(': ')[1]}")) + self.assertIn("Fix Version", finding.description)