From d8d13258c36a4ebf4dfe3c3e31a511faf96f4ad3 Mon Sep 17 00:00:00 2001 From: trickest-workflows Date: Tue, 15 Nov 2022 13:32:11 +0000 Subject: [PATCH] Update Tue Nov 15 13:32:11 UTC 2022 --- images/nginx/1.23.2-perl/README.md | 54 ++++++++++++ images/nginx/1.23.2-perl/reports/cve.txt | 85 +++++++++++++++++++ .../nginx/1.23.2-perl/reports/dev-tools.txt | 0 .../nginx/1.23.2-perl/reports/etc-issue.txt | 0 .../nginx/1.23.2-perl/reports/etc-passwd.txt | 0 .../nginx/1.23.2-perl/reports/etc-release.txt | 0 .../nginx/1.23.2-perl/reports/etc-shadow.txt | 0 .../1.23.2-perl/reports/exposed-ports.txt | 1 + .../reports/files-owned-by-root.txt | 0 images/nginx/1.23.2-perl/reports/gtfo.txt | 0 .../1.23.2-perl/reports/guid-executables.txt | 0 .../1.23.2-perl/reports/hidden-files.txt | 0 .../nginx/1.23.2-perl/reports/no-poc-cve.txt | 17 ++++ .../1.23.2-perl/reports/package-names.txt | 0 .../nginx/1.23.2-perl/reports/pass-policy.txt | 0 .../1.23.2-perl/reports/path-executables.txt | 0 images/nginx/1.23.2-perl/reports/poc-cve.txt | 68 +++++++++++++++ .../1.23.2-perl/reports/root-structure.txt | 0 .../nginx/1.23.2-perl/reports/ssl-certs.txt | 0 .../1.23.2-perl/reports/suid-executables.txt | 0 .../reports/world-writable-files.txt | 0 .../reports/world-writable-folders.txt | 0 22 files changed, 225 insertions(+) create mode 100644 images/nginx/1.23.2-perl/README.md create mode 100644 images/nginx/1.23.2-perl/reports/cve.txt create mode 100644 images/nginx/1.23.2-perl/reports/dev-tools.txt create mode 100644 images/nginx/1.23.2-perl/reports/etc-issue.txt create mode 100644 images/nginx/1.23.2-perl/reports/etc-passwd.txt create mode 100644 images/nginx/1.23.2-perl/reports/etc-release.txt create mode 100644 images/nginx/1.23.2-perl/reports/etc-shadow.txt create mode 100644 images/nginx/1.23.2-perl/reports/exposed-ports.txt create mode 100644 images/nginx/1.23.2-perl/reports/files-owned-by-root.txt create mode 100644 images/nginx/1.23.2-perl/reports/gtfo.txt create mode 100644 images/nginx/1.23.2-perl/reports/guid-executables.txt create mode 100644 images/nginx/1.23.2-perl/reports/hidden-files.txt create mode 100644 images/nginx/1.23.2-perl/reports/no-poc-cve.txt create mode 100644 images/nginx/1.23.2-perl/reports/package-names.txt create mode 100644 images/nginx/1.23.2-perl/reports/pass-policy.txt create mode 100644 images/nginx/1.23.2-perl/reports/path-executables.txt create mode 100644 images/nginx/1.23.2-perl/reports/poc-cve.txt create mode 100644 images/nginx/1.23.2-perl/reports/root-structure.txt create mode 100644 images/nginx/1.23.2-perl/reports/ssl-certs.txt create mode 100644 images/nginx/1.23.2-perl/reports/suid-executables.txt create mode 100644 images/nginx/1.23.2-perl/reports/world-writable-files.txt create mode 100644 images/nginx/1.23.2-perl/reports/world-writable-folders.txt diff --git a/images/nginx/1.23.2-perl/README.md b/images/nginx/1.23.2-perl/README.md new file mode 100644 index 00000000..03e4a084 --- /dev/null +++ b/images/nginx/1.23.2-perl/README.md @@ -0,0 +1,54 @@ +# [nginx:1.23.2-perl](https://hub.docker.com/_/nginx?tab=tags) +![](https://img.shields.io/static/v1?label=tag&message=1.23.2-perl&color=blue) +--- +

+Official build of Nginx. +

+ +## CVEs +### Critical (2) +#### With POC +[![](https://img.shields.io/badge/🔗%20CVE--2019--8457-CRITICAL-red)](https://github.com/trickest/cve/blob/main/2019/CVE-2019-8457.md) +#### Without POC +[![](https://img.shields.io/badge/%20CVE--2021--46848-CRITICAL-red)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-46848.md) + +### High (13) +#### With POC +[![](https://img.shields.io/badge/🔗%20CVE--2022--42916-HIGH-organge)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-42916.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--1304-HIGH-organge)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-1304.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--43680-HIGH-organge)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-43680.md)[![](https://img.shields.io/badge/🔗%20CVE--2021--33560-HIGH-organge)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-33560.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--29458-HIGH-organge)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-29458.md)[![](https://img.shields.io/badge/🔗%20CVE--2020--16156-HIGH-organge)](https://github.com/trickest/cve/blob/main/2020/CVE-2020-16156.md) +#### Without POC +[![](https://img.shields.io/badge/%20CVE--2022--2868-HIGH-organge)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2868.md)[![](https://img.shields.io/badge/%20CVE--2022--2869-HIGH-organge)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2869.md)[![](https://img.shields.io/badge/%20CVE--2022--2867-HIGH-organge)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2867.md)[![](https://img.shields.io/badge/%20CVE--2022--40304-HIGH-organge)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-40304.md)[![](https://img.shields.io/badge/%20CVE--2022--40303-HIGH-organge)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-40303.md)[![](https://img.shields.io/badge/%20CVE--2022--41741-HIGH-organge)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-41741.md)[![](https://img.shields.io/badge/%20CVE--2022--41742-HIGH-organge)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-41742.md) + +### Medium (14) +#### With POC +[![](https://img.shields.io/badge/🔗%20CVE--2022--2056-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2056.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--2057-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2057.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--2058-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2058.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--32221-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-32221.md)[![](https://img.shields.io/badge/🔗%20CVE--2021--46822-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-46822.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--34526-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-34526.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--1354-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-1354.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--1622-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-1622.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--1355-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-1355.md)[![](https://img.shields.io/badge/🔗%20CVE--2016--3709-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2016/CVE-2016-3709.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--2097-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2097.md) +#### Without POC +[![](https://img.shields.io/badge/%20CVE--2022--3715-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-3715.md)[![](https://img.shields.io/badge/%20CVE--2022--1623-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-1623.md)[![](https://img.shields.io/badge/%20CVE--2022--3821-MEDIUM-yellow)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-3821.md) + +### Low (56) +#### With POC +[![](https://img.shields.io/badge/🔗%20CVE--2007--6755-LOW-blue)](https://github.com/trickest/cve/blob/main/2007/CVE-2007-6755.md)[![](https://img.shields.io/badge/🔗%20CVE--2011--3389-LOW-blue)](https://github.com/trickest/cve/blob/main/2011/CVE-2011-3389.md)[![](https://img.shields.io/badge/🔗%20CVE--2016--2781-LOW-blue)](https://github.com/trickest/cve/blob/main/2016/CVE-2016-2781.md)[![](https://img.shields.io/badge/🔗%20CVE--2017--18018-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-18018.md)[![](https://img.shields.io/badge/🔗%20CVE--2021--22922-LOW-blue)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-22922.md)[![](https://img.shields.io/badge/🔗%20CVE--2021--22923-LOW-blue)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-22923.md)[![](https://img.shields.io/badge/🔗%20CVE--2013--0340-LOW-blue)](https://github.com/trickest/cve/blob/main/2013/CVE-2013-0340.md)[![](https://img.shields.io/badge/🔗%20CVE--2019--1010024-LOW-blue)](https://github.com/trickest/cve/blob/main/2019/CVE-2019-1010024.md)[![](https://img.shields.io/badge/🔗%20CVE--2010--4756-LOW-blue)](https://github.com/trickest/cve/blob/main/2010/CVE-2010-4756.md)[![](https://img.shields.io/badge/🔗%20CVE--2019--1010025-LOW-blue)](https://github.com/trickest/cve/blob/main/2019/CVE-2019-1010025.md)[![](https://img.shields.io/badge/🔗%20CVE--2019--1010023-LOW-blue)](https://github.com/trickest/cve/blob/main/2019/CVE-2019-1010023.md)[![](https://img.shields.io/badge/🔗%20CVE--2019--1010022-LOW-blue)](https://github.com/trickest/cve/blob/main/2019/CVE-2019-1010022.md)[![](https://img.shields.io/badge/🔗%20CVE--2018--20796-LOW-blue)](https://github.com/trickest/cve/blob/main/2018/CVE-2018-20796.md)[![](https://img.shields.io/badge/🔗%20CVE--2019--9192-LOW-blue)](https://github.com/trickest/cve/blob/main/2019/CVE-2019-9192.md)[![](https://img.shields.io/badge/🔗%20CVE--2018--5709-LOW-blue)](https://github.com/trickest/cve/blob/main/2018/CVE-2018-5709.md)[![](https://img.shields.io/badge/🔗%20CVE--2018--6829-LOW-blue)](https://github.com/trickest/cve/blob/main/2018/CVE-2018-6829.md)[![](https://img.shields.io/badge/🔗%20CVE--2019--6129-LOW-blue)](https://github.com/trickest/cve/blob/main/2019/CVE-2019-6129.md)[![](https://img.shields.io/badge/🔗%20CVE--2021--36087-LOW-blue)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-36087.md)[![](https://img.shields.io/badge/🔗%20CVE--2021--36084-LOW-blue)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-36084.md)[![](https://img.shields.io/badge/🔗%20CVE--2021--36085-LOW-blue)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-36085.md)[![](https://img.shields.io/badge/🔗%20CVE--2021--36086-LOW-blue)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-36086.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--2519-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2519.md)[![](https://img.shields.io/badge/🔗%20CVE--2017--9117-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-9117.md)[![](https://img.shields.io/badge/🔗%20CVE--2017--5563-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-5563.md)[![](https://img.shields.io/badge/🔗%20CVE--2017--16232-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-16232.md)[![](https://img.shields.io/badge/🔗%20CVE--2018--10126-LOW-blue)](https://github.com/trickest/cve/blob/main/2018/CVE-2018-10126.md)[![](https://img.shields.io/badge/🔗%20CVE--2014--8130-LOW-blue)](https://github.com/trickest/cve/blob/main/2014/CVE-2014-8130.md)[![](https://img.shields.io/badge/🔗%20CVE--2017--9937-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-9937.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--2953-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2953.md)[![](https://img.shields.io/badge/🔗%20CVE--2016--9085-LOW-blue)](https://github.com/trickest/cve/blob/main/2016/CVE-2016-9085.md)[![](https://img.shields.io/badge/🔗%20CVE--2021--39537-LOW-blue)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-39537.md)[![](https://img.shields.io/badge/🔗%20CVE--2009--4487-LOW-blue)](https://github.com/trickest/cve/blob/main/2009/CVE-2009-4487.md)[![](https://img.shields.io/badge/🔗%20CVE--2020--15719-LOW-blue)](https://github.com/trickest/cve/blob/main/2020/CVE-2020-15719.md)[![](https://img.shields.io/badge/🔗%20CVE--2017--14159-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-14159.md)[![](https://img.shields.io/badge/🔗%20CVE--2017--17740-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-17740.md)[![](https://img.shields.io/badge/🔗%20CVE--2015--3276-LOW-blue)](https://github.com/trickest/cve/blob/main/2015/CVE-2015-3276.md)[![](https://img.shields.io/badge/🔗%20CVE--2010--0928-LOW-blue)](https://github.com/trickest/cve/blob/main/2010/CVE-2010-0928.md)[![](https://img.shields.io/badge/🔗%20CVE--2019--20838-LOW-blue)](https://github.com/trickest/cve/blob/main/2019/CVE-2019-20838.md)[![](https://img.shields.io/badge/🔗%20CVE--2017--11164-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-11164.md)[![](https://img.shields.io/badge/🔗%20CVE--2017--16231-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-16231.md)[![](https://img.shields.io/badge/🔗%20CVE--2017--7245-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-7245.md)[![](https://img.shields.io/badge/🔗%20CVE--2017--7246-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-7246.md)[![](https://img.shields.io/badge/🔗%20CVE--2011--4116-LOW-blue)](https://github.com/trickest/cve/blob/main/2011/CVE-2011-4116.md)[![](https://img.shields.io/badge/🔗%20CVE--2013--4235-LOW-blue)](https://github.com/trickest/cve/blob/main/2013/CVE-2013-4235.md)[![](https://img.shields.io/badge/🔗%20CVE--2019--19882-LOW-blue)](https://github.com/trickest/cve/blob/main/2019/CVE-2019-19882.md)[![](https://img.shields.io/badge/🔗%20CVE--2020--13529-LOW-blue)](https://github.com/trickest/cve/blob/main/2020/CVE-2020-13529.md)[![](https://img.shields.io/badge/🔗%20CVE--2013--4392-LOW-blue)](https://github.com/trickest/cve/blob/main/2013/CVE-2013-4392.md)[![](https://img.shields.io/badge/🔗%20CVE--2005--2541-LOW-blue)](https://github.com/trickest/cve/blob/main/2005/CVE-2005-2541.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--1210-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-1210.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--0563-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-0563.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--32221-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-32221.md)[![](https://img.shields.io/badge/🔗%20CVE--2021--46822-LOW-blue)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-46822.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--34526-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-34526.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--1354-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-1354.md)[![](https://img.shields.io/badge/🔗%20CVE--2022--1355-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-1355.md) +#### Without POC +[![](https://img.shields.io/badge/%20CVE--2022--2869-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2869.md)[![](https://img.shields.io/badge/%20CVE--2022--2867-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2867.md)[![](https://img.shields.io/badge/%20CVE--2022--40303-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-40303.md)[![](https://img.shields.io/badge/%20CVE--2021--4214-LOW-blue)](https://github.com/trickest/cve/blob/main/2021/CVE-2021-4214.md)[![](https://img.shields.io/badge/%20CVE--2022--2520-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2520.md)[![](https://img.shields.io/badge/%20CVE--2022--2521-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-2521.md)[![](https://img.shields.io/badge/%20CVE--2017--17973-LOW-blue)](https://github.com/trickest/cve/blob/main/2017/CVE-2017-17973.md)[![](https://img.shields.io/badge/%20CVE--2015--9019-LOW-blue)](https://github.com/trickest/cve/blob/main/2015/CVE-2015-9019.md)[![](https://img.shields.io/badge/%20CVE--2004--0971-LOW-blue)](https://github.com/trickest/cve/blob/main/2004/CVE-2004-0971.md)[![](https://img.shields.io/badge/%20CVE--2022--3715-LOW-blue)](https://github.com/trickest/cve/blob/main/2022/CVE-2022-3715.md) + +## Tests +* [etc release](reports/etc-release.txt) +* [cve](reports/cve.txt) +* [package names](reports/package-names.txt) +* [etc shadow](reports/etc-shadow.txt) +* [poc cve](reports/poc-cve.txt) +* [path executables](reports/path-executables.txt) +* [world writable files](reports/world-writable-files.txt) +* [hidden files](reports/hidden-files.txt) +* [files owned by root](reports/files-owned-by-root.txt) +* [dev tools](reports/dev-tools.txt) +* [gtfo](reports/gtfo.txt) +* [suid executables](reports/suid-executables.txt) +* [etc passwd](reports/etc-passwd.txt) +* [ssl certs](reports/ssl-certs.txt) +* [world writable folders](reports/world-writable-folders.txt) +* [pass policy](reports/pass-policy.txt) +* [guid executables](reports/guid-executables.txt) +* [no poc cve](reports/no-poc-cve.txt) +* [root structure](reports/root-structure.txt) +* [etc issue](reports/etc-issue.txt) +* [exposed ports](reports/exposed-ports.txt) diff --git a/images/nginx/1.23.2-perl/reports/cve.txt b/images/nginx/1.23.2-perl/reports/cve.txt new file mode 100644 index 00000000..3dfa6b44 --- /dev/null +++ b/images/nginx/1.23.2-perl/reports/cve.txt @@ -0,0 +1,85 @@ +CVE-2021-46848 - CRITICAL - libtasn1: Out-of-bound access in ETYPE_OK +CVE-2019-8457 - CRITICAL - sqlite: heap out-of-bound read in function rtreenode() +CVE-2022-42916 - HIGH - curl: HSTS bypass via IDN +CVE-2022-1304 - HIGH - e2fsprogs: out-of-bounds read/write via crafted filesystem +CVE-2022-43680 - HIGH - expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate +CVE-2021-33560 - HIGH - libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm +CVE-2022-2868 - HIGH - libtiff: Invalid crop_width and/or crop_length could cause an out-of-bounds read in reverseSamples16bits() +CVE-2022-2869 - HIGH - libtiff: tiffcrop.c has uint32_t underflow which leads to out of bounds read and write in extractContigSamples8bits() +CVE-2022-2867 - HIGH - libtiff: uint32_t underflow leads to out of bounds read and write in tiffcrop.c +CVE-2022-40304 - HIGH - libxml2: dict corruption caused by entity reference cycles +CVE-2022-40303 - HIGH - libxml2: integer overflows with XML_PARSE_HUGE +CVE-2022-29458 - HIGH - ncurses: segfaulting OOB read +CVE-2022-41741 - HIGH - nginx: Memory corruption in the ngx_http_mp4_module +CVE-2022-41742 - HIGH - nginx: Memory disclosure in the ngx_http_mp4_module +CVE-2020-16156 - HIGH - perl-CPAN: Bypass of verification of signatures in CHECKSUMS files +CVE-2007-6755 - LOW - Dual_EC_DRBG: weak pseudo random number generator +CVE-2011-3389 - LOW - HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) +CVE-2016-2781 - LOW - coreutils: Non-privileged session can escape to the parent session in chroot +CVE-2017-18018 - LOW - coreutils: race condition vulnerability in chown and chgrp +CVE-2021-22922 - LOW - curl: Content not matching hash in Metalink is not being discarded +CVE-2021-22923 - LOW - curl: Metalink download sends credentials +CVE-2013-0340 - LOW - expat: internal entity expansion +CVE-2019-1010024 - LOW - glibc: ASLR bypass using cache of thread stack and heap +CVE-2010-4756 - LOW - glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions +CVE-2019-1010025 - LOW - glibc: information disclosure of heap addresses of pthread_created thread +CVE-2019-1010023 - LOW - glibc: running ldd on malicious ELF leads to code execution because of wrong size computation +CVE-2019-1010022 - LOW - glibc: stack guard protection bypass +CVE-2018-20796 - LOW - glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c +CVE-2019-9192 - LOW - glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c +CVE-2018-5709 - LOW - krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c +CVE-2018-6829 - LOW - libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information +CVE-2021-4214 - LOW - libpng: hardcoded value leads to heap-overflow +CVE-2019-6129 - LOW - libpng: memory leak of png_info struct in pngcp.c +CVE-2021-36087 - LOW - libsepol: heap-based buffer overflow in ebitmap_match_any() +CVE-2021-36084 - LOW - libsepol: use-after-free in __cil_verify_classperms() +CVE-2021-36085 - LOW - libsepol: use-after-free in __cil_verify_classperms() +CVE-2021-36086 - LOW - libsepol: use-after-free in cil_reset_classpermission() +CVE-2022-2520 - LOW - libtiff: Assertion fail in rotateImage() function at tiffcrop.c +CVE-2022-2519 - LOW - libtiff: Double free or corruption in rotateImage() function at tiffcrop.c +CVE-2017-9117 - LOW - libtiff: Heap-based buffer over-read in bmp2tiff +CVE-2017-5563 - LOW - libtiff: Heap-buffer overflow in LZWEncode tif_lzw.c +CVE-2022-2521 - LOW - libtiff: Invalid pointer free operation in TIFFClose() at tif_close.c +CVE-2017-16232 - LOW - libtiff: Memory leaks in tif_open.c, tif_lzw.c, and tif_aux.c +CVE-2018-10126 - LOW - libtiff: NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c +CVE-2014-8130 - LOW - libtiff: divide by zero in the tiffdither tool +CVE-2017-17973 - LOW - libtiff: heap-based use after free in tiff2pdf.c:t2p_writeproc +CVE-2017-9937 - LOW - libtiff: memory malloc failure in tif_jbig.c could cause DOS. +CVE-2022-2953 - LOW - libtiff: tiffcrop: heap-buffer-overflow in extractImageSection in tiffcrop.c +CVE-2016-9085 - LOW - libwebp: Several integer overflows +CVE-2015-9019 - LOW - libxslt: math.random() in xslt uses unseeded randomness +CVE-2021-39537 - LOW - ncurses: heap-based buffer overflow in _nc_captoinfo() in captoinfo.c +CVE-2009-4487 - LOW - nginx: Absent sanitation of escape sequences in web server log +CVE-2020-15719 - LOW - openldap: Certificate validation incorrectly matches name against CN-ID +CVE-2017-14159 - LOW - openldap: Privilege escalation via PID file manipulation +CVE-2017-17740 - LOW - openldap: contrib/slapd-modules/nops/nops.c attempts to free stack buffer allowing remote attackers to cause a denial of service +CVE-2015-3276 - LOW - openldap: incorrect multi-keyword mode cipherstring parsing +CVE-2010-0928 - LOW - openssl: RSA authentication weakness +CVE-2019-20838 - LOW - pcre: Buffer over-read in JIT when UTF is disabled and \X or \R has fixed quantifier greater than 1 +CVE-2017-11164 - LOW - pcre: OP_KETRMAX feature in the match function in pcre_exec.c +CVE-2017-16231 - LOW - pcre: self-recursive call in match() in pcre_exec.c leads to denial of service +CVE-2017-7245 - LOW - pcre: stack-based buffer overflow write in pcre32_copy_substring +CVE-2017-7246 - LOW - pcre: stack-based buffer overflow write in pcre32_copy_substring +CVE-2011-4116 - LOW - perl: File::Temp insecure temporary file handling +CVE-2004-0971 - LOW - security flaw +CVE-2013-4235 - LOW - shadow-utils: TOCTOU race conditions by copying and removing directory trees +CVE-2019-19882 - LOW - shadow-utils: local users can obtain root access because setuid programs are misconfigured +CVE-2020-13529 - LOW - systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured +CVE-2013-4392 - LOW - systemd: TOCTOU race condition when updating file permissions and SELinux security contexts +CVE-2005-2541 - LOW - tar: does not properly warn the user when extracting setuid or setgid files +CVE-2022-1210 - LOW - tiff: Malicious file leads to a denial of service in TIFF File Handler +CVE-2022-0563 - LOW - util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline +CVE-2022-2056 - MEDIUM - LibTiff: DoS from Divide By Zero Error +CVE-2022-2057 - MEDIUM - LibTiff: DoS from Divide By Zero Error +CVE-2022-2058 - MEDIUM - LibTiff: DoS from Divide By Zero Error +CVE-2022-3715 - MEDIUM - bash: a heap-buffer-overflow in valid_parameter_transform +CVE-2022-32221 - MEDIUM - curl: POST following PUT confusion +CVE-2021-46822 - MEDIUM - libjpeg-turbo: heap buffer overflow in get_word_rgb_row() in rdppm.c +CVE-2022-34526 - MEDIUM - libtiff: A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit +CVE-2022-1354 - MEDIUM - libtiff: heap-buffer-overflow in TIFFReadRawDataStriped() in tiffinfo.c +CVE-2022-1622 - MEDIUM - libtiff: out-of-bounds read in LZWDecode +CVE-2022-1623 - MEDIUM - libtiff: out-of-bounds read in LZWDecode +CVE-2022-1355 - MEDIUM - libtiff: stack-buffer-overflow in tiffcp.c in main() +CVE-2016-3709 - MEDIUM - libxml2: Incorrect server side include parsing can lead to XSS +CVE-2022-2097 - MEDIUM - openssl: AES OCB fails to encrypt some bytes +CVE-2022-3821 - MEDIUM - systemd: buffer overrun in format_timespan() function. diff --git a/images/nginx/1.23.2-perl/reports/dev-tools.txt b/images/nginx/1.23.2-perl/reports/dev-tools.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/etc-issue.txt b/images/nginx/1.23.2-perl/reports/etc-issue.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/etc-passwd.txt b/images/nginx/1.23.2-perl/reports/etc-passwd.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/etc-release.txt b/images/nginx/1.23.2-perl/reports/etc-release.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/etc-shadow.txt b/images/nginx/1.23.2-perl/reports/etc-shadow.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/exposed-ports.txt b/images/nginx/1.23.2-perl/reports/exposed-ports.txt new file mode 100644 index 00000000..c82a12d9 --- /dev/null +++ b/images/nginx/1.23.2-perl/reports/exposed-ports.txt @@ -0,0 +1 @@ +80/tcp diff --git a/images/nginx/1.23.2-perl/reports/files-owned-by-root.txt b/images/nginx/1.23.2-perl/reports/files-owned-by-root.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/gtfo.txt b/images/nginx/1.23.2-perl/reports/gtfo.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/guid-executables.txt b/images/nginx/1.23.2-perl/reports/guid-executables.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/hidden-files.txt b/images/nginx/1.23.2-perl/reports/hidden-files.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/no-poc-cve.txt b/images/nginx/1.23.2-perl/reports/no-poc-cve.txt new file mode 100644 index 00000000..7ae46354 --- /dev/null +++ b/images/nginx/1.23.2-perl/reports/no-poc-cve.txt @@ -0,0 +1,17 @@ +CVE-2021-46848 - CRITICAL - libtasn1: Out-of-bound access in ETYPE_OK +CVE-2022-2868 - HIGH - libtiff: Invalid crop_width and/or crop_length could cause an out-of-bounds read in reverseSamples16bits() +CVE-2022-2869 - HIGH - libtiff: tiffcrop.c has uint32_t underflow which leads to out of bounds read and write in extractContigSamples8bits() +CVE-2022-2867 - HIGH - libtiff: uint32_t underflow leads to out of bounds read and write in tiffcrop.c +CVE-2022-40304 - HIGH - libxml2: dict corruption caused by entity reference cycles +CVE-2022-40303 - HIGH - libxml2: integer overflows with XML_PARSE_HUGE +CVE-2022-41741 - HIGH - nginx: Memory corruption in the ngx_http_mp4_module +CVE-2022-41742 - HIGH - nginx: Memory disclosure in the ngx_http_mp4_module +CVE-2021-4214 - LOW - libpng: hardcoded value leads to heap-overflow +CVE-2022-2520 - LOW - libtiff: Assertion fail in rotateImage() function at tiffcrop.c +CVE-2022-2521 - LOW - libtiff: Invalid pointer free operation in TIFFClose() at tif_close.c +CVE-2017-17973 - LOW - libtiff: heap-based use after free in tiff2pdf.c:t2p_writeproc +CVE-2015-9019 - LOW - libxslt: math.random() in xslt uses unseeded randomness +CVE-2004-0971 - LOW - security flaw +CVE-2022-3715 - MEDIUM - bash: a heap-buffer-overflow in valid_parameter_transform +CVE-2022-1623 - MEDIUM - libtiff: out-of-bounds read in LZWDecode +CVE-2022-3821 - MEDIUM - systemd: buffer overrun in format_timespan() function. diff --git a/images/nginx/1.23.2-perl/reports/package-names.txt b/images/nginx/1.23.2-perl/reports/package-names.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/pass-policy.txt b/images/nginx/1.23.2-perl/reports/pass-policy.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/path-executables.txt b/images/nginx/1.23.2-perl/reports/path-executables.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/poc-cve.txt b/images/nginx/1.23.2-perl/reports/poc-cve.txt new file mode 100644 index 00000000..fc404e97 --- /dev/null +++ b/images/nginx/1.23.2-perl/reports/poc-cve.txt @@ -0,0 +1,68 @@ +CVE-2019-8457 - CRITICAL - sqlite: heap out-of-bound read in function rtreenode() +CVE-2022-42916 - HIGH - curl: HSTS bypass via IDN +CVE-2022-1304 - HIGH - e2fsprogs: out-of-bounds read/write via crafted filesystem +CVE-2022-43680 - HIGH - expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate +CVE-2021-33560 - HIGH - libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm +CVE-2022-29458 - HIGH - ncurses: segfaulting OOB read +CVE-2020-16156 - HIGH - perl-CPAN: Bypass of verification of signatures in CHECKSUMS files +CVE-2007-6755 - LOW - Dual_EC_DRBG: weak pseudo random number generator +CVE-2011-3389 - LOW - HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) +CVE-2016-2781 - LOW - coreutils: Non-privileged session can escape to the parent session in chroot +CVE-2017-18018 - LOW - coreutils: race condition vulnerability in chown and chgrp +CVE-2021-22922 - LOW - curl: Content not matching hash in Metalink is not being discarded +CVE-2021-22923 - LOW - curl: Metalink download sends credentials +CVE-2013-0340 - LOW - expat: internal entity expansion +CVE-2019-1010024 - LOW - glibc: ASLR bypass using cache of thread stack and heap +CVE-2010-4756 - LOW - glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions +CVE-2019-1010025 - LOW - glibc: information disclosure of heap addresses of pthread_created thread +CVE-2019-1010023 - LOW - glibc: running ldd on malicious ELF leads to code execution because of wrong size computation +CVE-2019-1010022 - LOW - glibc: stack guard protection bypass +CVE-2018-20796 - LOW - glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c +CVE-2019-9192 - LOW - glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c +CVE-2018-5709 - LOW - krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c +CVE-2018-6829 - LOW - libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information +CVE-2019-6129 - LOW - libpng: memory leak of png_info struct in pngcp.c +CVE-2021-36087 - LOW - libsepol: heap-based buffer overflow in ebitmap_match_any() +CVE-2021-36084 - LOW - libsepol: use-after-free in __cil_verify_classperms() +CVE-2021-36085 - LOW - libsepol: use-after-free in __cil_verify_classperms() +CVE-2021-36086 - LOW - libsepol: use-after-free in cil_reset_classpermission() +CVE-2022-2519 - LOW - libtiff: Double free or corruption in rotateImage() function at tiffcrop.c +CVE-2017-9117 - LOW - libtiff: Heap-based buffer over-read in bmp2tiff +CVE-2017-5563 - LOW - libtiff: Heap-buffer overflow in LZWEncode tif_lzw.c +CVE-2017-16232 - LOW - libtiff: Memory leaks in tif_open.c, tif_lzw.c, and tif_aux.c +CVE-2018-10126 - LOW - libtiff: NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c +CVE-2014-8130 - LOW - libtiff: divide by zero in the tiffdither tool +CVE-2017-9937 - LOW - libtiff: memory malloc failure in tif_jbig.c could cause DOS. +CVE-2022-2953 - LOW - libtiff: tiffcrop: heap-buffer-overflow in extractImageSection in tiffcrop.c +CVE-2016-9085 - LOW - libwebp: Several integer overflows +CVE-2021-39537 - LOW - ncurses: heap-based buffer overflow in _nc_captoinfo() in captoinfo.c +CVE-2009-4487 - LOW - nginx: Absent sanitation of escape sequences in web server log +CVE-2020-15719 - LOW - openldap: Certificate validation incorrectly matches name against CN-ID +CVE-2017-14159 - LOW - openldap: Privilege escalation via PID file manipulation +CVE-2017-17740 - LOW - openldap: contrib/slapd-modules/nops/nops.c attempts to free stack buffer allowing remote attackers to cause a denial of service +CVE-2015-3276 - LOW - openldap: incorrect multi-keyword mode cipherstring parsing +CVE-2010-0928 - LOW - openssl: RSA authentication weakness +CVE-2019-20838 - LOW - pcre: Buffer over-read in JIT when UTF is disabled and \X or \R has fixed quantifier greater than 1 +CVE-2017-11164 - LOW - pcre: OP_KETRMAX feature in the match function in pcre_exec.c +CVE-2017-16231 - LOW - pcre: self-recursive call in match() in pcre_exec.c leads to denial of service +CVE-2017-7245 - LOW - pcre: stack-based buffer overflow write in pcre32_copy_substring +CVE-2017-7246 - LOW - pcre: stack-based buffer overflow write in pcre32_copy_substring +CVE-2011-4116 - LOW - perl: File::Temp insecure temporary file handling +CVE-2013-4235 - LOW - shadow-utils: TOCTOU race conditions by copying and removing directory trees +CVE-2019-19882 - LOW - shadow-utils: local users can obtain root access because setuid programs are misconfigured +CVE-2020-13529 - LOW - systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured +CVE-2013-4392 - LOW - systemd: TOCTOU race condition when updating file permissions and SELinux security contexts +CVE-2005-2541 - LOW - tar: does not properly warn the user when extracting setuid or setgid files +CVE-2022-1210 - LOW - tiff: Malicious file leads to a denial of service in TIFF File Handler +CVE-2022-0563 - LOW - util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline +CVE-2022-2056 - MEDIUM - LibTiff: DoS from Divide By Zero Error +CVE-2022-2057 - MEDIUM - LibTiff: DoS from Divide By Zero Error +CVE-2022-2058 - MEDIUM - LibTiff: DoS from Divide By Zero Error +CVE-2022-32221 - MEDIUM - curl: POST following PUT confusion +CVE-2021-46822 - MEDIUM - libjpeg-turbo: heap buffer overflow in get_word_rgb_row() in rdppm.c +CVE-2022-34526 - MEDIUM - libtiff: A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit +CVE-2022-1354 - MEDIUM - libtiff: heap-buffer-overflow in TIFFReadRawDataStriped() in tiffinfo.c +CVE-2022-1622 - MEDIUM - libtiff: out-of-bounds read in LZWDecode +CVE-2022-1355 - MEDIUM - libtiff: stack-buffer-overflow in tiffcp.c in main() +CVE-2016-3709 - MEDIUM - libxml2: Incorrect server side include parsing can lead to XSS +CVE-2022-2097 - MEDIUM - openssl: AES OCB fails to encrypt some bytes diff --git a/images/nginx/1.23.2-perl/reports/root-structure.txt b/images/nginx/1.23.2-perl/reports/root-structure.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/ssl-certs.txt b/images/nginx/1.23.2-perl/reports/ssl-certs.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/suid-executables.txt b/images/nginx/1.23.2-perl/reports/suid-executables.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/world-writable-files.txt b/images/nginx/1.23.2-perl/reports/world-writable-files.txt new file mode 100644 index 00000000..e69de29b diff --git a/images/nginx/1.23.2-perl/reports/world-writable-folders.txt b/images/nginx/1.23.2-perl/reports/world-writable-folders.txt new file mode 100644 index 00000000..e69de29b