@eurekadevsecops/radar 1.3.3 → 1.3.4

package/depscan-c1.sarif

@@ -0,0 +1 @@
+{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"depscan","semanticVersion":"5.5.0","informationUri":"https://github.com/owasp-dep-scan/dep-scan","properties":{"protocol_version":"v1.0.0","scanner_name":"owasp-depscan","scanner_version":"5.5.0","db":"https://github.com/AppThreat/vulnerability-db","scan_mode":"source","officialName":"owasp-depscan"},"rules":[{"id":"CVE-2022-27191/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-27191\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.\nA broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-27191","properties":{"tags":["CVE-2022-27191"]}},{"id":"CVE-2020-12242/pkg:oci/source@latest?","shortDescription":{"text":"Vulnerable pkg: oci/source@latest?\nCVE: CVE-2020-12242\nFix: \n\ndepscan:insights: Flagged weakness\ndepscan:prioritized: false\naffectedVersionRange: source@-\n"},"fullDescription":{"text":"Valve Source allows local users to gain privileges by writing to the /tmp/hl2_relaunch file, which is later executed in the context of a different user account."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2020-12242","properties":{"tags":["CVE-2020-12242"]}},{"id":"CVE-2022-25887/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-25887\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.\nA flaw was found in sanitize-html library. Insecure global regular expression replacement logic of HTML comment removal could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-25887","properties":{"tags":["CVE-2022-25887"]}},{"id":"CVE-2022-30630/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30630\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.\nA flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30630","properties":{"tags":["CVE-2022-30630"]}},{"id":"CVE-2022-30631/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30631\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.\nA flaw was found in golang. Calling the Reader, Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30631","properties":{"tags":["CVE-2022-30631"]}},{"id":"CVE-2021-23017/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-23017\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.\nA flaw was found in nginx. An off-by-one error while processing DNS responses allows a network attacker to write a dot character out of bounds in a heap allocated buffer which can allow overwriting the least significant byte of next heap chunk metadata likely leading to a remote code execution in certain circumstances. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-23017","properties":{"tags":["CVE-2021-23017"]}},{"id":"CVE-2022-30629/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30629\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.\nA flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30629","properties":{"tags":["CVE-2022-30629"]}},{"id":"CVE-2022-21803/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-21803\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.\nA flaw was found in the nconf library when setting the configuration properties. This flaw allows an attacker to provide a crafted property, leading to prototype object pollution."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-21803","properties":{"tags":["CVE-2022-21803"]}},{"id":"CVE-2021-22963/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-22963\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: true option. By default, it is false."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-22963","properties":{"tags":["CVE-2021-22963"]}},{"id":"CVE-2021-3711/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-3711\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\nA flaw was found in openssl. A miscalculation of a buffer size was found in openssl's SM2 decryption function, allowing up to 62 arbitrary bytes to be written outside of the buffer. A remote attacker could use this flaw to crash an application supporting SM2 signature or encryption algorithm, or, possibly, execute arbitrary code with the permissions of the user running that application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-3711","properties":{"tags":["CVE-2021-3711"]}},{"id":"MAL-2025-6022/pkg:npm/eslint-config-prettier@10.1.1","shortDescription":{"text":"Vulnerable pkg: npm/eslint-config-prettier@10.1.1\nCVE: MAL-2025-6022\nFix: \n\ndepscan:insights: Malicious\nIndirect dependency\ndepscan:prioritized: false\naffectedVersionRange: eslint-config-prettier@>=8.10.1-<=10.1.7\n"},"fullDescription":{"text":"# Malicious code in eslint-config-prettier (npm)\nThis package installs a windows based malware file node-gyp.dll via install.js"},"help":{"text":""},"helpUri":"https://unknownhelpuri.com","properties":{"tags":["Malware","MAL-2025-6022"]}},{"id":"CVE-2021-41099/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-41099\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.\nAn integer overflow issue was found in redis in the underlying string library. The vulnerability involves changing the default \"proto-max-bulk-len\" configuration parameter to a very large value and constructing specially crafted network payloads or commands. This flaw allows a remote attacker to corrupt the heap and potentially trigger remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-41099","properties":{"tags":["CVE-2021-41099"]}},{"id":"CVE-2022-28131/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-28131\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.\nA flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-28131","properties":{"tags":["CVE-2022-28131"]}},{"id":"CVE-2021-43816/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-43816\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.\nAn incorrect permission assignment flaw was found in containerd. This flaw allows a local attacker to use a specially designed text file to read and write files outside of the container's scope."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-43816","properties":{"tags":["CVE-2021-43816"]}},{"id":"CVE-2022-31150/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-31150\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.\nA flaw was found in the undici package. When requesting an input on an unsanitized request path, method, or headers it is possible to inject Carriage Return/Line Feed (CRLF) sequences into these requests."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-31150","properties":{"tags":["CVE-2022-31150"]}},{"id":"CVE-2021-3807/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-3807\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"ansi-regex is vulnerable to Inefficient Regular Expression Complexity\nA regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-3807","properties":{"tags":["PoC","CVE-2021-3807"]}},{"id":"CVE-2022-24771/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24771\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=forge\n"},"fullDescription":{"text":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.\nA flaw was found in the node-forge package. This signature verification leniency allows an attacker to forge a signature."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24771","properties":{"tags":["CVE-2022-24771"]}},{"id":"CVE-2022-0144/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0144\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"shelljs is vulnerable to Improper Privilege Management\nA flaw was found in the ShellJS library when the scripts used the exec function. Local users on the filesystem could take advantage of this as they can read the stdout of the ShellJS process. This issue discloses sensitive information, leading to privilege escalation. This flaw allows an attacker to craft stdout files, which leads to crashing the ShellJS scripts running with privileges."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0144","properties":{"tags":["PoC","CVE-2022-0144"]}},{"id":"CVE-2021-32672/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32672\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.\nA flaw was found in redis. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer, potentially leading to an information disclosure."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32672","properties":{"tags":["CVE-2021-32672"]}},{"id":"CVE-2021-32690/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32690\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on.\nA vulnerability was discovered in Helm, which could allow credentials associated with one Helm repository to be leaked to another repository referenced by the first one.\tIn order to exploit this vulnerability, an attacker would need to control a repository trusted by the configuration of the target Helm instance."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32690","properties":{"tags":["CVE-2021-32690"]}},{"id":"CVE-2021-3749/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-3749\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"axios is vulnerable to Inefficient Regular Expression Complexity\nA Regular Expression Denial of Service (ReDoS) vulnerability was found in the nodejs axios. This flaw allows an attacker to provide crafted input to the trim function, which might cause high resources consumption and as a consequence lead to denial of service. The highest threat from this vulnerability is system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-3749","properties":{"tags":["PoC","CVE-2021-3749"]}},{"id":"CVE-2023-39318/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-39318\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.\nA flaw was found in Golang. The html/template package did not properly handle HMTL-like \"<!--\" and \"-->\" comment tokens, nor hashbang \"#!\" comment tokens, in <script> contexts. This issue may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-39318","properties":{"tags":["CVE-2023-39318"]}},{"id":"CVE-2023-39319/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-39319\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The html/template package does not apply the proper rules for handling occurrences of \"<script\", \"<!--\", and \"</script\" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.\nA flaw was found in Golang. The html/template package did not apply the proper rules for handling occurrences of \"<script\", \"<!--\", and \"</script\" within JS literals in <script> contexts. This issue may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-39319","properties":{"tags":["CVE-2023-39319"]}},{"id":"CVE-2023-39325/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-39325\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.\nA flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\nCVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-39325","properties":{"tags":["CVE-2023-39325"]}},{"id":"CVE-2023-44487/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-44487\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\nA flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\nCVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages.\nSecurity Bulletin\nhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003"},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-44487","properties":{"tags":["CVE-2023-44487"]}},{"id":"CVE-2021-41190/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-41190\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.\nThe OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manifest or an index. In the OCI Image Specification version 1.0.1 there is specified a recommendation that both manifest and index documents contain a `mediaType` field to identify the type of document."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-41190","properties":{"tags":["CVE-2021-41190"]}},{"id":"CVE-2022-31129/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-31129\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.\nA flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-31129","properties":{"tags":["CVE-2022-31129"]}},{"id":"CVE-2022-24778/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24778\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user.\nA flaw was found in the imgcrypt library when checking the keys of an authorized user to access an encrypted image on systems where layers are not available and cannot run on the host architecture. This flaw allows an attacker to run an image without providing the previously decrypted keys."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24778","properties":{"tags":["CVE-2022-24778"]}},{"id":"CVE-2022-1705/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-1705\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.\nA flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating \"chunked\" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-1705","properties":{"tags":["CVE-2022-1705"]}},{"id":"CVE-2023-37903/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-37903\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.\nA flaw was found in the vm2 custom inspect function, which allows attackers to escape the sandbox. This flaw allows attackers to run arbitrary code."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-37903","properties":{"tags":["CVE-2023-37903"]}},{"id":"CVE-2021-33623/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-33623\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.\nA flaw was found in nodejs-trim-newlines. Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-33623","properties":{"tags":["CVE-2021-33623"]}},{"id":"CVE-2022-0778/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0778\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).\nA flaw was found in OpenSSL. It is possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0778","properties":{"tags":["CVE-2022-0778"]}},{"id":"CVE-2022-24772/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24772\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=forge\n"},"fullDescription":{"text":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.\nA flaw was found in the node-forge package. This signature verification leniency allows an attacker to forge a signature."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24772","properties":{"tags":["CVE-2022-24772"]}},{"id":"CVE-2022-24723/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24723\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround.\nAn improper input validation flaw was found in urijs where white space characters are not removed from the beginning of an URL. This issue allows bypassing the protocol validation."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24723","properties":{"tags":["CVE-2022-24723"]}},{"id":"CVE-2023-32314/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-32314\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.\nA flaw was found in the vm2 sandbox. When a host object is created based on the specification of Proxy, an attacker can bypass the sandbox protections. This may allow an attacker to run remote code execution on the host running the sandbox. This vulnerability impacts the confidentiality, integrity, and availability of the system."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-32314","properties":{"tags":["CVE-2023-32314"]}},{"id":"CVE-2022-0235/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0235\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=fetch\n"},"fullDescription":{"text":"node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor\nA flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as \"Authorization,\" \"WWW-Authenticate,\" and \"Cookie\" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized actor."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0235","properties":{"tags":["PoC","CVE-2022-0235"]}},{"id":"CVE-2022-25896/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-25896\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.\nA misleading session regeneration flaw was found in passport. When a user logs in or logs out, the session is regenerated instead of being closed. This flaw allows an attacker to use a previous session in particular environments."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-25896","properties":{"tags":["CVE-2022-25896"]}},{"id":"CVE-2021-32628/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32628\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the above configuration parameters. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.\nAn integer overflow issue was found in the redis ziplist data structure. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. This flaw allows a remote attacker to corrupt the heap and potentially trigger remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32628","properties":{"tags":["CVE-2021-32628"]}},{"id":"CVE-2022-0536/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0536\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.\nA flaw was found in the follow-redirects package. This flaw allows the exposure of sensitive information to an unauthorized actor due to the usage of insecure HTTP protocol. This issue happens with an Authorization header leak from the same hostname, https-http, and requires a Man-in-the-Middle (MITM) attack."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0536","properties":{"tags":["CVE-2022-0536"]}},{"id":"CVE-2022-0155/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0155\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor\nA flaw was found in follow-redirects when fetching a remote URL with a cookie when it gets to the Location response header. This flaw allows an attacker to hijack the account as the cookie is leaked."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0155","properties":{"tags":["PoC","CVE-2022-0155"]}},{"id":"CVE-2022-24773/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24773\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=forge\n"},"fullDescription":{"text":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.\nA flaw was found in the node-forge library when verifying the signature on the ASN.1 structure in RSA PKCS#1 v1.5. This flaw allows an attacker to obtain successful verification for invalid DigestInfo structure, affecting the integrity of the attacked resource."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24773","properties":{"tags":["CVE-2022-24773"]}},{"id":"CVE-2021-23566/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-23566\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.\nA flaw was found in the nanoid library where the valueOf() function allows the reproduction of the last id generated. This flaw allows an attacker to expose sensitive information."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-23566","properties":{"tags":["CVE-2021-23566"]}},{"id":"CVE-2022-25858/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-25858\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.\nA vulnerability was found in the terser package. Affected versions of this package are vulnerable to Regular expression denial of service (ReDoS) attacks, affecting system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-25858","properties":{"tags":["CVE-2022-25858"]}},{"id":"CVE-2021-32675/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32675\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.\nA flaw was found in redis. When parsing an incoming Redis Standard Protocol (RESP) request, redis allocates memory according to user-specified values, which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). This flaw allows an unauthenticated, remote user delivering specially crafted requests over multiple connections to cause the server to allocate a significant amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32675","properties":{"tags":["CVE-2021-32675"]}},{"id":"CVE-2022-35948/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-35948\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.\nA flaw was found in the undici package. When requesting unsanitized input on content-type headers, it is possible to inject additional requests via Carriage Return/Line Feed (CRLF)."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-35948","properties":{"tags":["CVE-2022-35948"]}},{"id":"CVE-2022-3517/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-3517\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.\nA vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-3517","properties":{"tags":["CVE-2022-3517"]}},{"id":"CVE-2022-31151/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-31151\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).\nA flaw was found in the undici package. After cookie headers are set, they are not cleared. This issue could allow an attacker to take advantage of this cookie, which could be used to control the redirection target."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-31151","properties":{"tags":["CVE-2022-31151"]}},{"id":"CVE-2023-39322/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-39322\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.\nA flaw was found in Golang. QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With the fix, connections now consistently reject messages larger than 65KiB in size."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-39322","properties":{"tags":["CVE-2023-39322"]}},{"id":"CVE-2021-32803/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32803\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.\nThe npm package \"tar\" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32803","properties":{"tags":["CVE-2021-32803"]}},{"id":"CVE-2023-37466/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-37466\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.\nA flaw was found in the vm2 Promise handler sanitization, which allows attackers to escape the sandbox. This flaw allows attackers to run arbitrary code."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-37466","properties":{"tags":["CVE-2023-37466"]}},{"id":"CVE-2022-3841/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-3841\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"RHACM: unauthenticated SSRF in console API endpoint. A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauthenticated users making requests.\nA Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauthenticated users making requests."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-3841","properties":{"tags":["CVE-2022-3841"]}},{"id":"CVE-2021-32687/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32687\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.\nAn integer overflow issue was found in redis. The vulnerability involves changing the default \"set-max-intset-entries\" configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. This flaw allows a remote attacker to leak arbitrary contents of the heap or potentially trigger remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32687","properties":{"tags":["CVE-2021-32687"]}},{"id":"CVE-2022-35949/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-35949\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require(\"undici\") undici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.\nA Server-Side Request Forgery (SSRF) vulnerability was found in undici, a HTTP/1.1 client for Node.js. An attacker can manipulate the server-side application to make requests to an unintended location when they use the 'path/pathname' option in 'undici.request'."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-35949","properties":{"tags":["CVE-2022-35949"]}},{"id":"CVE-2022-0613/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0613\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.\nA flaw was found in urijs due to the fix of CVE-2021-3647 not considering case-sensitive protocol schemes in the URL. This issue allows attackers to bypass the patch."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0613","properties":{"tags":["CVE-2022-0613"]}},{"id":"CVE-2022-25881/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-25881\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.\nA flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-25881","properties":{"tags":["CVE-2022-25881"]}},{"id":"CVE-2022-23806/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-23806\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.\nA flaw was found in the elliptic package of the crypto library in golang when the IsOnCurve function could return true for invalid field elements. This flaw allows an attacker to take advantage of this undefined behavior, affecting the availability and integrity of the resource."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-23806","properties":{"tags":["CVE-2022-23806"]}},{"id":"CVE-2021-29923/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-29923\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=maintenance-operator-container\n"},"fullDescription":{"text":"Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.\nA flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-29923","properties":{"tags":["CVE-2021-29923"]}},{"id":"CVE-2022-1365/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-1365\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.\nA flaw was found in the cross-fetch library when fetching a remote URL with a cookie when it gets to the Location response header. This flaw allows an attacker to hijack the account as the cookie is leaked."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-1365","properties":{"tags":["PoC","CVE-2022-1365"]}},{"id":"CVE-2022-24450/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24450\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the \"dynamically provisioned sandbox accounts\" feature.\nA flaw was found in the NATS nats-server in an experimental feature that provides dynamically provisioned sandbox accounts that do not check the clients’ authorization. This flaw allows an attacker to take advantage of its valid account and switch over to another existing account without further authentication."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24450","properties":{"tags":["CVE-2022-24450"]}},{"id":"CVE-2023-32313/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-32313\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.\nA flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-32313","properties":{"tags":["CVE-2023-32313"]}},{"id":"CVE-2021-43858/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-43858\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.\nMinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-43858","properties":{"tags":["CVE-2021-43858"]}},{"id":"CVE-2022-29526/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-29526\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.\nA flaw was found in the syscall.Faccessat function when calling a process by checking the group. This flaw allows an attacker to check the process group permissions rather than a member of the file's group, affecting system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-29526","properties":{"tags":["CVE-2022-29526"]}},{"id":"CVE-2022-29810/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-29810\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.\nA flaw was found in go-getter, where the go-getter library can write SSH credentials into its log file. This flaw allows a local user with access to read log files to read sensitive credentials, which may lead to privilege escalation or account takeover."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-29810","properties":{"tags":["CVE-2022-29810"]}},{"id":"CVE-2023-28856/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-28856\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.\nA vulnerability was found in Redis. This flaw allows authenticated users to use the HINCRBYFLOAT command to create an invalid hash field that may crash Redis on access."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-28856","properties":{"tags":["CVE-2023-28856"]}},{"id":"CVE-2023-3089/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-3089\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.\nA compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-3089","properties":{"tags":["CVE-2023-3089"]}},{"id":"CVE-2022-1798/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-1798\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=maintenance-operator-container\n"},"fullDescription":{"text":"A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.\nAn arbitrary file read vulnerability was found in the kubeVirt API. This flaw makes it possible to use the kubeVirt API to provide access to host files (like /etc/passwd, for example) in a KubeVirt VM as a disk device that can be written to and read from."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-1798","properties":{"tags":["CVE-2022-1798"]}},{"id":"CVE-2021-43565/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-43565\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.\nThere's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-43565","properties":{"tags":["CVE-2021-43565"]}},{"id":"CVE-2022-41912/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-41912\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.\nAn authentication bypass flaw was discovered in the crewjam/saml go package. A remote unauthenticated attacker could trigger it by sending a SAML request. This would allow an escalation of privileges and then enable\tcompromising system integrity."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-41912","properties":{"tags":["CVE-2022-41912"]}},{"id":"CVE-2021-3918/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-3918\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\nThe json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-3918","properties":{"tags":["CVE-2021-3918"]}},{"id":"CVE-2022-24999/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24999\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).\nA flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24999","properties":{"tags":["CVE-2022-24999"]}},{"id":"CVE-2022-36067/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-36067\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.\nA flaw was found in the vm2 sandbox when running untrusted code, as the sandbox setup does not manage proper exception handling. This flaw allows an attacker to bypass the sandbox protections and gain remote code execution on the hypervisor host or the host which is running the sandbox."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-36067","properties":{"tags":["CVE-2022-36067"]}},{"id":"CVE-2022-30632/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30632\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.\nA flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30632","properties":{"tags":["CVE-2022-30632"]}},{"id":"CVE-2022-30633/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30633\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.\nA flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the \"any\" field tag, can cause a panic due to stack exhaustion."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30633","properties":{"tags":["CVE-2022-30633"]}},{"id":"CVE-2022-30635/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30635\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.\nA flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30635","properties":{"tags":["CVE-2022-30635"]}},{"id":"CVE-2021-34558/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-34558\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=maintenance-operator-container\n"},"fullDescription":{"text":"The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.\nA flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-34558","properties":{"tags":["CVE-2021-34558"]}},{"id":"CVE-2022-24785/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24785\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.\nA path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24785","properties":{"tags":["CVE-2022-24785"]}},{"id":"CVE-2022-2238/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-2238\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A vulnerability was found in the search-api container in Red Hat Advanced Cluster Management for Kubernetes when a query in the search filter gets parsed by the backend. This flaw allows an attacker to craft specific strings containing special characters that lead to crashing the pod and affects system availability while restarting.\nA vulnerability was found in the search-api container when a query in the search filter gets parsed by the backend. This flaw allows an attacker to craft specific strings containing special characters that lead to crashing the pod and affects system availability while restarting."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-2238","properties":{"tags":["CVE-2022-2238"]}},{"id":"CVE-2021-23555/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-23555\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.\nA flaw was found in vm2, where the sandbox can be bypassed via direct access to host error objects generated by node internals during the generation of stack traces. This flaw allows an attacker to execute arbitrary code on the host machine."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-23555","properties":{"tags":["CVE-2021-23555"]}},{"id":"CVE-2021-32626/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32626\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.\nA heap buffer overflow was found in redis. Specially crafted Lua scripts executing in Redis cause the heap-based Lua stack to overflow due to incomplete checks for this condition. This flaw allows a remote attacker to corrupt the heap and potentially trigger remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32626","properties":{"tags":["CVE-2021-32626"]}},{"id":"CVE-2021-32627/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32627\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. In affected versions an integer overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and constructing specially crafted very large stream elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.\nAn integer overflow issue was found in redis. The vulnerability involves changing the default \"proto-max-bulk-len\" and \"client-query-buffer-limit\" configuration parameters to very large values and constructing specially crafted large stream elements. This flaw allows a remote attacker to corrupt the heap and potentially trigger remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32627","properties":{"tags":["CVE-2021-32627"]}},{"id":"CVE-2021-32804/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32804\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.\nThe npm package \"tar\" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32804","properties":{"tags":["CVE-2021-32804"]}},{"id":"CVE-2023-39321/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-39321\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Processing an incomplete post-handshake message for a QUIC connection can cause a panic.\nA flaw was found in Golang. Processing an incomplete post-handshake message for a QUIC connection caused a panic."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-39321","properties":{"tags":["CVE-2023-39321"]}},{"id":"CVE-2022-25645/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-25645\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.\nA flaw was found in the dset package via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains a __proto__, constructor, or prototype. This flaw allows an attacker to craft a malicious object, bypassing this check and achieving prototype pollution."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-25645","properties":{"tags":["CVE-2022-25645"]}},{"id":"CVE-2021-23518/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-23518\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573\nA prototype pollution vulnerability was discovered in cached-path-relative. This flaw allows a remote, unauthenticated attacker to inject a cache variable to leak sensitive information."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-23518","properties":{"tags":["CVE-2021-23518"]}},{"id":"CVE-2022-32148/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-32148\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.\nA flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-32148","properties":{"tags":["CVE-2022-32148"]}},{"id":"CVE-2022-1962/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-1962\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.\nA flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-1962","properties":{"tags":["CVE-2022-1962"]}},{"id":"CVE-2021-3712/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-3712\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).\nIt was found that openssl assumed ASN.1 strings to be NUL terminated. A malicious actor may be able to force an application into calling openssl function with a specially crafted, non-NUL terminated string to deliberately hit this bug, which may result in a crash of the application, causing a Denial of Service attack, or possibly, memory disclosure. The highest threat from this vulnerability is to data confidentiality and system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-3712","properties":{"tags":["CVE-2021-3712"]}}]}},"results":[{"ruleId":"CVE-2022-27191/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-27191 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-27191 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2020-12242/pkg:oci/source@latest?","level":"error","message":{"text":"Vulnerability CVE-2020-12242 in pkg oci/source@latest?"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2020-12242 in pkg oci/source@latest?"}}]},{"ruleId":"CVE-2022-25887/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-25887 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-25887 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-30630/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-30630 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30630 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-30631/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-30631 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30631 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-23017/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-23017 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-23017 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-30629/pkg:oci/node@20-alpine?tag=20-alpine","level":"note","message":{"text":"Vulnerability CVE-2022-30629 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30629 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-21803/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-21803 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-21803 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-22963/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2021-22963 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-22963 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-3711/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-3711 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-3711 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"MAL-2025-6022/pkg:npm/eslint-config-prettier@10.1.1","level":"error","message":{"text":"Vulnerability MAL-2025-6022 in pkg npm/eslint-config-prettier@10.1.1"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability MAL-2025-6022 in pkg npm/eslint-config-prettier@10.1.1"}}]},{"ruleId":"CVE-2021-41099/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-41099 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-41099 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-28131/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-28131 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-28131 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-43816/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-43816 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-43816 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-31150/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-31150 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-31150 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-3807/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-3807 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-3807 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24771/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24771 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24771 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0144/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-0144 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0144 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32672/pkg:oci/node@20-alpine?tag=20-alpine","level":"note","message":{"text":"Vulnerability CVE-2021-32672 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32672 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32690/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2021-32690 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32690 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-3749/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-3749 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-3749 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-39318/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2023-39318 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-39318 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-39319/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2023-39319 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-39319 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-39325/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-39325 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-39325 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-44487/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-44487 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-44487 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-41190/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2021-41190 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-41190 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-31129/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-31129 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-31129 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24778/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24778 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24778 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-1705/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-1705 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-1705 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-37903/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-37903 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-37903 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-33623/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-33623 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-33623 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0778/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-0778 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0778 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24772/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24772 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24772 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24723/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-24723 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24723 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-32314/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-32314 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-32314 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0235/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-0235 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0235 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-25896/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-25896 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-25896 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32628/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32628 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32628 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0536/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-0536 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0536 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0155/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-0155 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0155 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24773/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-24773 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24773 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-23566/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2021-23566 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-23566 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-25858/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-25858 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-25858 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32675/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32675 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32675 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-35948/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-35948 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-35948 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-3517/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-3517 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-3517 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-31151/pkg:oci/node@20-alpine?tag=20-alpine","level":"note","message":{"text":"Vulnerability CVE-2022-31151 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-31151 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-39322/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-39322 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-39322 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32803/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32803 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32803 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-37466/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-37466 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-37466 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-3841/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-3841 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-3841 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32687/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32687 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32687 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-35949/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-35949 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-35949 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0613/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-0613 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0613 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-25881/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-25881 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-25881 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-23806/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-23806 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-23806 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-29923/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-29923 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-29923 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-1365/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-1365 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-1365 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24450/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24450 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24450 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-32313/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2023-32313 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-32313 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-43858/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-43858 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-43858 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-29526/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-29526 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-29526 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-29810/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-29810 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-29810 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-28856/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2023-28856 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-28856 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-3089/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2023-3089 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-3089 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-1798/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-1798 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-1798 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-43565/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-43565 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-43565 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-41912/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-41912 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-41912 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-3918/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-3918 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-3918 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24999/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24999 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24999 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-36067/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-36067 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-36067 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-30632/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-30632 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30632 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-30633/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-30633 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30633 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-30635/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-30635 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30635 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-34558/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2021-34558 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-34558 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24785/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24785 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24785 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-2238/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-2238 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-2238 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-23555/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-23555 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-23555 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32626/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32626 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32626 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32627/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32627 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32627 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32804/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32804 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32804 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-39321/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-39321 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-39321 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-25645/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-25645 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-25645 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-23518/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-23518 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-23518 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-32148/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-32148 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-32148 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-1962/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-1962 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-1962 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-3712/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-3712 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-3712 in pkg oci/node@20-alpine?tag=20-alpine"}}]}]}]}

package/depscan-c2.sarif

@@ -0,0 +1 @@
+{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"depscan","semanticVersion":"5.5.0","informationUri":"https://github.com/owasp-dep-scan/dep-scan","properties":{"protocol_version":"v1.0.0","scanner_name":"owasp-depscan","scanner_version":"5.5.0","db":"https://github.com/AppThreat/vulnerability-db","scan_mode":"source","officialName":"owasp-depscan"},"rules":[{"id":"CVE-2021-32690/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32690\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on.\nA vulnerability was discovered in Helm, which could allow credentials associated with one Helm repository to be leaked to another repository referenced by the first one.\tIn order to exploit this vulnerability, an attacker would need to control a repository trusted by the configuration of the target Helm instance."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32690","properties":{"tags":["CVE-2021-32690"]}},{"id":"CVE-2023-3089/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-3089\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.\nA compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-3089","properties":{"tags":["CVE-2023-3089"]}},{"id":"CVE-2021-43858/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-43858\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.\nMinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-43858","properties":{"tags":["CVE-2021-43858"]}},{"id":"CVE-2022-1962/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-1962\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.\nA flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-1962","properties":{"tags":["CVE-2022-1962"]}},{"id":"MAL-2025-6022/pkg:npm/eslint-config-prettier@10.1.1","shortDescription":{"text":"Vulnerable pkg: npm/eslint-config-prettier@10.1.1\nCVE: MAL-2025-6022\nFix: \n\ndepscan:insights: Malicious\nIndirect dependency\ndepscan:prioritized: false\naffectedVersionRange: eslint-config-prettier@>=8.10.1-<=10.1.7\n"},"fullDescription":{"text":"# Malicious code in eslint-config-prettier (npm)\nThis package installs a windows based malware file node-gyp.dll via install.js"},"help":{"text":""},"helpUri":"https://unknownhelpuri.com","properties":{"tags":["Malware","MAL-2025-6022"]}},{"id":"CVE-2022-30633/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30633\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.\nA flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the \"any\" field tag, can cause a panic due to stack exhaustion."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30633","properties":{"tags":["CVE-2022-30633"]}},{"id":"CVE-2021-3712/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-3712\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).\nIt was found that openssl assumed ASN.1 strings to be NUL terminated. A malicious actor may be able to force an application into calling openssl function with a specially crafted, non-NUL terminated string to deliberately hit this bug, which may result in a crash of the application, causing a Denial of Service attack, or possibly, memory disclosure. The highest threat from this vulnerability is to data confidentiality and system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-3712","properties":{"tags":["CVE-2021-3712"]}},{"id":"CVE-2021-32628/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32628\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the above configuration parameters. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.\nAn integer overflow issue was found in the redis ziplist data structure. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. This flaw allows a remote attacker to corrupt the heap and potentially trigger remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32628","properties":{"tags":["CVE-2021-32628"]}},{"id":"CVE-2022-0613/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0613\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.\nA flaw was found in urijs due to the fix of CVE-2021-3647 not considering case-sensitive protocol schemes in the URL. This issue allows attackers to bypass the patch."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0613","properties":{"tags":["CVE-2022-0613"]}},{"id":"CVE-2023-32314/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-32314\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.\nA flaw was found in the vm2 sandbox. When a host object is created based on the specification of Proxy, an attacker can bypass the sandbox protections. This may allow an attacker to run remote code execution on the host running the sandbox. This vulnerability impacts the confidentiality, integrity, and availability of the system."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-32314","properties":{"tags":["CVE-2023-32314"]}},{"id":"CVE-2023-39322/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-39322\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.\nA flaw was found in Golang. QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With the fix, connections now consistently reject messages larger than 65KiB in size."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-39322","properties":{"tags":["CVE-2023-39322"]}},{"id":"CVE-2021-32804/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32804\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.\nThe npm package \"tar\" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32804","properties":{"tags":["CVE-2021-32804"]}},{"id":"CVE-2021-3918/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-3918\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\nThe json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-3918","properties":{"tags":["CVE-2021-3918"]}},{"id":"CVE-2022-31151/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-31151\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).\nA flaw was found in the undici package. After cookie headers are set, they are not cleared. This issue could allow an attacker to take advantage of this cookie, which could be used to control the redirection target."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-31151","properties":{"tags":["CVE-2022-31151"]}},{"id":"CVE-2021-43816/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-43816\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.\nAn incorrect permission assignment flaw was found in containerd. This flaw allows a local attacker to use a specially designed text file to read and write files outside of the container's scope."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-43816","properties":{"tags":["CVE-2021-43816"]}},{"id":"CVE-2023-37903/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-37903\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.\nA flaw was found in the vm2 custom inspect function, which allows attackers to escape the sandbox. This flaw allows attackers to run arbitrary code."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-37903","properties":{"tags":["CVE-2023-37903"]}},{"id":"CVE-2021-23518/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-23518\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573\nA prototype pollution vulnerability was discovered in cached-path-relative. This flaw allows a remote, unauthenticated attacker to inject a cache variable to leak sensitive information."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-23518","properties":{"tags":["CVE-2021-23518"]}},{"id":"CVE-2022-1365/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-1365\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.\nA flaw was found in the cross-fetch library when fetching a remote URL with a cookie when it gets to the Location response header. This flaw allows an attacker to hijack the account as the cookie is leaked."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-1365","properties":{"tags":["PoC","CVE-2022-1365"]}},{"id":"CVE-2021-22963/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-22963\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: true option. By default, it is false."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-22963","properties":{"tags":["CVE-2021-22963"]}},{"id":"CVE-2022-30632/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30632\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.\nA flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30632","properties":{"tags":["CVE-2022-30632"]}},{"id":"CVE-2021-41099/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-41099\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.\nAn integer overflow issue was found in redis in the underlying string library. The vulnerability involves changing the default \"proto-max-bulk-len\" configuration parameter to a very large value and constructing specially crafted network payloads or commands. This flaw allows a remote attacker to corrupt the heap and potentially trigger remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-41099","properties":{"tags":["CVE-2021-41099"]}},{"id":"CVE-2021-32675/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32675\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.\nA flaw was found in redis. When parsing an incoming Redis Standard Protocol (RESP) request, redis allocates memory according to user-specified values, which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). This flaw allows an unauthenticated, remote user delivering specially crafted requests over multiple connections to cause the server to allocate a significant amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32675","properties":{"tags":["CVE-2021-32675"]}},{"id":"CVE-2021-34558/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-34558\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=maintenance-operator-container\n"},"fullDescription":{"text":"The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.\nA flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-34558","properties":{"tags":["CVE-2021-34558"]}},{"id":"CVE-2021-3807/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-3807\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"ansi-regex is vulnerable to Inefficient Regular Expression Complexity\nA regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-3807","properties":{"tags":["PoC","CVE-2021-3807"]}},{"id":"CVE-2022-35948/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-35948\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.\nA flaw was found in the undici package. When requesting unsanitized input on content-type headers, it is possible to inject additional requests via Carriage Return/Line Feed (CRLF)."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-35948","properties":{"tags":["CVE-2022-35948"]}},{"id":"CVE-2023-39321/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-39321\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Processing an incomplete post-handshake message for a QUIC connection can cause a panic.\nA flaw was found in Golang. Processing an incomplete post-handshake message for a QUIC connection caused a panic."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-39321","properties":{"tags":["CVE-2023-39321"]}},{"id":"CVE-2022-30635/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30635\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.\nA flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30635","properties":{"tags":["CVE-2022-30635"]}},{"id":"CVE-2021-43565/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-43565\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.\nThere's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-43565","properties":{"tags":["CVE-2021-43565"]}},{"id":"CVE-2021-29923/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-29923\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=maintenance-operator-container\n"},"fullDescription":{"text":"Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.\nA flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-29923","properties":{"tags":["CVE-2021-29923"]}},{"id":"CVE-2022-23806/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-23806\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.\nA flaw was found in the elliptic package of the crypto library in golang when the IsOnCurve function could return true for invalid field elements. This flaw allows an attacker to take advantage of this undefined behavior, affecting the availability and integrity of the resource."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-23806","properties":{"tags":["CVE-2022-23806"]}},{"id":"CVE-2022-0778/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0778\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).\nA flaw was found in OpenSSL. It is possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0778","properties":{"tags":["CVE-2022-0778"]}},{"id":"CVE-2022-25645/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-25645\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.\nA flaw was found in the dset package via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains a __proto__, constructor, or prototype. This flaw allows an attacker to craft a malicious object, bypassing this check and achieving prototype pollution."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-25645","properties":{"tags":["CVE-2022-25645"]}},{"id":"CVE-2021-32626/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32626\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.\nA heap buffer overflow was found in redis. Specially crafted Lua scripts executing in Redis cause the heap-based Lua stack to overflow due to incomplete checks for this condition. This flaw allows a remote attacker to corrupt the heap and potentially trigger remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32626","properties":{"tags":["CVE-2021-32626"]}},{"id":"CVE-2021-33623/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-33623\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.\nA flaw was found in nodejs-trim-newlines. Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-33623","properties":{"tags":["CVE-2021-33623"]}},{"id":"CVE-2022-25887/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-25887\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.\nA flaw was found in sanitize-html library. Insecure global regular expression replacement logic of HTML comment removal could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-25887","properties":{"tags":["CVE-2022-25887"]}},{"id":"CVE-2022-29526/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-29526\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.\nA flaw was found in the syscall.Faccessat function when calling a process by checking the group. This flaw allows an attacker to check the process group permissions rather than a member of the file's group, affecting system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-29526","properties":{"tags":["CVE-2022-29526"]}},{"id":"CVE-2022-25881/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-25881\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.\nA flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-25881","properties":{"tags":["CVE-2022-25881"]}},{"id":"CVE-2022-36067/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-36067\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.\nA flaw was found in the vm2 sandbox when running untrusted code, as the sandbox setup does not manage proper exception handling. This flaw allows an attacker to bypass the sandbox protections and gain remote code execution on the hypervisor host or the host which is running the sandbox."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-36067","properties":{"tags":["CVE-2022-36067"]}},{"id":"CVE-2022-1798/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-1798\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=maintenance-operator-container\n"},"fullDescription":{"text":"A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.\nAn arbitrary file read vulnerability was found in the kubeVirt API. This flaw makes it possible to use the kubeVirt API to provide access to host files (like /etc/passwd, for example) in a KubeVirt VM as a disk device that can be written to and read from."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-1798","properties":{"tags":["CVE-2022-1798"]}},{"id":"CVE-2022-41912/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-41912\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.\nAn authentication bypass flaw was discovered in the crewjam/saml go package. A remote unauthenticated attacker could trigger it by sending a SAML request. This would allow an escalation of privileges and then enable\tcompromising system integrity."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-41912","properties":{"tags":["CVE-2022-41912"]}},{"id":"CVE-2022-24723/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24723\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround.\nAn improper input validation flaw was found in urijs where white space characters are not removed from the beginning of an URL. This issue allows bypassing the protocol validation."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24723","properties":{"tags":["CVE-2022-24723"]}},{"id":"CVE-2022-24450/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24450\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the \"dynamically provisioned sandbox accounts\" feature.\nA flaw was found in the NATS nats-server in an experimental feature that provides dynamically provisioned sandbox accounts that do not check the clients’ authorization. This flaw allows an attacker to take advantage of its valid account and switch over to another existing account without further authentication."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24450","properties":{"tags":["CVE-2022-24450"]}},{"id":"CVE-2023-39318/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-39318\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.\nA flaw was found in Golang. The html/template package did not properly handle HMTL-like \"<!--\" and \"-->\" comment tokens, nor hashbang \"#!\" comment tokens, in <script> contexts. This issue may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-39318","properties":{"tags":["CVE-2023-39318"]}},{"id":"CVE-2022-0235/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0235\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=fetch\n"},"fullDescription":{"text":"node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor\nA flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as \"Authorization,\" \"WWW-Authenticate,\" and \"Cookie\" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized actor."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0235","properties":{"tags":["PoC","CVE-2022-0235"]}},{"id":"CVE-2022-24772/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24772\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=forge\n"},"fullDescription":{"text":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.\nA flaw was found in the node-forge package. This signature verification leniency allows an attacker to forge a signature."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24772","properties":{"tags":["CVE-2022-24772"]}},{"id":"CVE-2022-0144/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0144\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"shelljs is vulnerable to Improper Privilege Management\nA flaw was found in the ShellJS library when the scripts used the exec function. Local users on the filesystem could take advantage of this as they can read the stdout of the ShellJS process. This issue discloses sensitive information, leading to privilege escalation. This flaw allows an attacker to craft stdout files, which leads to crashing the ShellJS scripts running with privileges."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0144","properties":{"tags":["PoC","CVE-2022-0144"]}},{"id":"CVE-2022-24771/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24771\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=forge\n"},"fullDescription":{"text":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.\nA flaw was found in the node-forge package. This signature verification leniency allows an attacker to forge a signature."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24771","properties":{"tags":["CVE-2022-24771"]}},{"id":"CVE-2022-3841/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-3841\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"RHACM: unauthenticated SSRF in console API endpoint. A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauthenticated users making requests.\nA Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauthenticated users making requests."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-3841","properties":{"tags":["CVE-2022-3841"]}},{"id":"CVE-2022-31150/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-31150\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.\nA flaw was found in the undici package. When requesting an input on an unsanitized request path, method, or headers it is possible to inject Carriage Return/Line Feed (CRLF) sequences into these requests."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-31150","properties":{"tags":["CVE-2022-31150"]}},{"id":"CVE-2021-41190/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-41190\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.\nThe OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manifest or an index. In the OCI Image Specification version 1.0.1 there is specified a recommendation that both manifest and index documents contain a `mediaType` field to identify the type of document."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-41190","properties":{"tags":["CVE-2021-41190"]}},{"id":"CVE-2020-12242/pkg:oci/source@latest?","shortDescription":{"text":"Vulnerable pkg: oci/source@latest?\nCVE: CVE-2020-12242\nFix: \n\ndepscan:insights: Flagged weakness\ndepscan:prioritized: false\naffectedVersionRange: source@-\n"},"fullDescription":{"text":"Valve Source allows local users to gain privileges by writing to the /tmp/hl2_relaunch file, which is later executed in the context of a different user account."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2020-12242","properties":{"tags":["CVE-2020-12242"]}},{"id":"CVE-2022-24778/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24778\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user.\nA flaw was found in the imgcrypt library when checking the keys of an authorized user to access an encrypted image on systems where layers are not available and cannot run on the host architecture. This flaw allows an attacker to run an image without providing the previously decrypted keys."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24778","properties":{"tags":["CVE-2022-24778"]}},{"id":"CVE-2022-2238/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-2238\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A vulnerability was found in the search-api container in Red Hat Advanced Cluster Management for Kubernetes when a query in the search filter gets parsed by the backend. This flaw allows an attacker to craft specific strings containing special characters that lead to crashing the pod and affects system availability while restarting.\nA vulnerability was found in the search-api container when a query in the search filter gets parsed by the backend. This flaw allows an attacker to craft specific strings containing special characters that lead to crashing the pod and affects system availability while restarting."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-2238","properties":{"tags":["CVE-2022-2238"]}},{"id":"CVE-2022-29810/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-29810\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.\nA flaw was found in go-getter, where the go-getter library can write SSH credentials into its log file. This flaw allows a local user with access to read log files to read sensitive credentials, which may lead to privilege escalation or account takeover."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-29810","properties":{"tags":["CVE-2022-29810"]}},{"id":"CVE-2023-39319/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-39319\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The html/template package does not apply the proper rules for handling occurrences of \"<script\", \"<!--\", and \"</script\" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.\nA flaw was found in Golang. The html/template package did not apply the proper rules for handling occurrences of \"<script\", \"<!--\", and \"</script\" within JS literals in <script> contexts. This issue may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-39319","properties":{"tags":["CVE-2023-39319"]}},{"id":"CVE-2021-23555/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-23555\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.\nA flaw was found in vm2, where the sandbox can be bypassed via direct access to host error objects generated by node internals during the generation of stack traces. This flaw allows an attacker to execute arbitrary code on the host machine."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-23555","properties":{"tags":["CVE-2021-23555"]}},{"id":"CVE-2022-30629/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30629\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.\nA flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30629","properties":{"tags":["CVE-2022-30629"]}},{"id":"CVE-2022-24773/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24773\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=forge\n"},"fullDescription":{"text":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.\nA flaw was found in the node-forge library when verifying the signature on the ASN.1 structure in RSA PKCS#1 v1.5. This flaw allows an attacker to obtain successful verification for invalid DigestInfo structure, affecting the integrity of the attacked resource."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24773","properties":{"tags":["CVE-2022-24773"]}},{"id":"CVE-2023-28856/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-28856\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.\nA vulnerability was found in Redis. This flaw allows authenticated users to use the HINCRBYFLOAT command to create an invalid hash field that may crash Redis on access."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-28856","properties":{"tags":["CVE-2023-28856"]}},{"id":"CVE-2022-25896/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-25896\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.\nA misleading session regeneration flaw was found in passport. When a user logs in or logs out, the session is regenerated instead of being closed. This flaw allows an attacker to use a previous session in particular environments."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-25896","properties":{"tags":["CVE-2022-25896"]}},{"id":"CVE-2021-3711/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-3711\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\nA flaw was found in openssl. A miscalculation of a buffer size was found in openssl's SM2 decryption function, allowing up to 62 arbitrary bytes to be written outside of the buffer. A remote attacker could use this flaw to crash an application supporting SM2 signature or encryption algorithm, or, possibly, execute arbitrary code with the permissions of the user running that application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-3711","properties":{"tags":["CVE-2021-3711"]}},{"id":"CVE-2022-25858/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-25858\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.\nA vulnerability was found in the terser package. Affected versions of this package are vulnerable to Regular expression denial of service (ReDoS) attacks, affecting system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-25858","properties":{"tags":["CVE-2022-25858"]}},{"id":"CVE-2021-32687/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32687\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.\nAn integer overflow issue was found in redis. The vulnerability involves changing the default \"set-max-intset-entries\" configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. This flaw allows a remote attacker to leak arbitrary contents of the heap or potentially trigger remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32687","properties":{"tags":["CVE-2021-32687"]}},{"id":"CVE-2022-0155/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0155\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor\nA flaw was found in follow-redirects when fetching a remote URL with a cookie when it gets to the Location response header. This flaw allows an attacker to hijack the account as the cookie is leaked."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0155","properties":{"tags":["PoC","CVE-2022-0155"]}},{"id":"CVE-2022-30630/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30630\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.\nA flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30630","properties":{"tags":["CVE-2022-30630"]}},{"id":"CVE-2023-32313/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-32313\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.\nA flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-32313","properties":{"tags":["CVE-2023-32313"]}},{"id":"CVE-2022-24999/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24999\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).\nA flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24999","properties":{"tags":["CVE-2022-24999"]}},{"id":"CVE-2022-28131/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-28131\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.\nA flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-28131","properties":{"tags":["CVE-2022-28131"]}},{"id":"CVE-2023-44487/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-44487\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\nA flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\nCVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages.\nSecurity Bulletin\nhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003"},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-44487","properties":{"tags":["CVE-2023-44487"]}},{"id":"CVE-2023-37466/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-37466\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.\nA flaw was found in the vm2 Promise handler sanitization, which allows attackers to escape the sandbox. This flaw allows attackers to run arbitrary code."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-37466","properties":{"tags":["CVE-2023-37466"]}},{"id":"CVE-2023-39325/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2023-39325\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.\nA flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\nCVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2023-39325","properties":{"tags":["CVE-2023-39325"]}},{"id":"CVE-2022-30631/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-30631\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.\nA flaw was found in golang. Calling the Reader, Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-30631","properties":{"tags":["CVE-2022-30631"]}},{"id":"CVE-2022-31129/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-31129\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.\nA flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-31129","properties":{"tags":["CVE-2022-31129"]}},{"id":"CVE-2022-3517/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-3517\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.\nA vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-3517","properties":{"tags":["CVE-2022-3517"]}},{"id":"CVE-2022-21803/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-21803\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.\nA flaw was found in the nconf library when setting the configuration properties. This flaw allows an attacker to provide a crafted property, leading to prototype object pollution."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-21803","properties":{"tags":["CVE-2022-21803"]}},{"id":"CVE-2022-32148/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-32148\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.\nA flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-32148","properties":{"tags":["CVE-2022-32148"]}},{"id":"CVE-2021-32803/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32803\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.\nThe npm package \"tar\" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32803","properties":{"tags":["CVE-2021-32803"]}},{"id":"CVE-2021-23017/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-23017\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.\nA flaw was found in nginx. An off-by-one error while processing DNS responses allows a network attacker to write a dot character out of bounds in a heap allocated buffer which can allow overwriting the least significant byte of next heap chunk metadata likely leading to a remote code execution in certain circumstances. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-23017","properties":{"tags":["CVE-2021-23017"]}},{"id":"CVE-2022-35949/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-35949\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require(\"undici\") undici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.\nA Server-Side Request Forgery (SSRF) vulnerability was found in undici, a HTTP/1.1 client for Node.js. An attacker can manipulate the server-side application to make requests to an unintended location when they use the 'path/pathname' option in 'undici.request'."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-35949","properties":{"tags":["CVE-2022-35949"]}},{"id":"CVE-2022-1705/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-1705\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.\nA flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating \"chunked\" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-1705","properties":{"tags":["CVE-2022-1705"]}},{"id":"CVE-2022-27191/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-27191\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.\nA broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-27191","properties":{"tags":["CVE-2022-27191"]}},{"id":"CVE-2021-32672/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32672\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.\nA flaw was found in redis. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer, potentially leading to an information disclosure."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32672","properties":{"tags":["CVE-2021-32672"]}},{"id":"CVE-2022-0536/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-0536\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.\nA flaw was found in the follow-redirects package. This flaw allows the exposure of sensitive information to an unauthorized actor due to the usage of insecure HTTP protocol. This issue happens with an Authorization header leak from the same hostname, https-http, and requires a Man-in-the-Middle (MITM) attack."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-0536","properties":{"tags":["CVE-2022-0536"]}},{"id":"CVE-2022-24785/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2022-24785\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.\nA path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2022-24785","properties":{"tags":["CVE-2022-24785"]}},{"id":"CVE-2021-23566/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-23566\nFix: \n\ndepscan:insights: Distro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.\nA flaw was found in the nanoid library where the valueOf() function allows the reproduction of the last id generated. This flaw allows an attacker to expose sensitive information."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-23566","properties":{"tags":["CVE-2021-23566"]}},{"id":"CVE-2021-32627/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-32627\nFix: \n\ndepscan:insights: Flagged weakness\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"Redis is an open source, in-memory database that persists on disk. In affected versions an integer overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and constructing specially crafted very large stream elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.\nAn integer overflow issue was found in redis. The vulnerability involves changing the default \"proto-max-bulk-len\" and \"client-query-buffer-limit\" configuration parameters to very large values and constructing specially crafted large stream elements. This flaw allows a remote attacker to corrupt the heap and potentially trigger remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-32627","properties":{"tags":["CVE-2021-32627"]}},{"id":"CVE-2021-3749/pkg:oci/node@20-alpine?tag=20-alpine","shortDescription":{"text":"Vulnerable pkg: oci/node@20-alpine?tag=20-alpine\nCVE: CVE-2021-3749\nFix: \n\ndepscan:insights: Has PoC\nDistro specific\ndepscan:prioritized: false\naffectedVersionRange: node@<=exporter-container\n"},"fullDescription":{"text":"axios is vulnerable to Inefficient Regular Expression Complexity\nA Regular Expression Denial of Service (ReDoS) vulnerability was found in the nodejs axios. This flaw allows an attacker to provide crafted input to the trim function, which might cause high resources consumption and as a consequence lead to denial of service. The highest threat from this vulnerability is system availability."},"help":{"text":""},"helpUri":"https://nvd.nist.gov/vuln/detail/CVE-2021-3749","properties":{"tags":["PoC","CVE-2021-3749"]}}]}},"results":[{"ruleId":"CVE-2021-32690/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2021-32690 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32690 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-3089/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2023-3089 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-3089 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-43858/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-43858 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-43858 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-1962/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-1962 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-1962 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"MAL-2025-6022/pkg:npm/eslint-config-prettier@10.1.1","level":"error","message":{"text":"Vulnerability MAL-2025-6022 in pkg npm/eslint-config-prettier@10.1.1"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability MAL-2025-6022 in pkg npm/eslint-config-prettier@10.1.1"}}]},{"ruleId":"CVE-2022-30633/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-30633 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30633 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-3712/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-3712 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-3712 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32628/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32628 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32628 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0613/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-0613 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0613 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-32314/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-32314 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-32314 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-39322/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-39322 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-39322 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32804/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32804 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32804 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-3918/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-3918 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-3918 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-31151/pkg:oci/node@20-alpine?tag=20-alpine","level":"note","message":{"text":"Vulnerability CVE-2022-31151 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-31151 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-43816/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-43816 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-43816 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-37903/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-37903 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-37903 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-23518/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-23518 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-23518 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-1365/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-1365 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-1365 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-22963/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2021-22963 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-22963 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-30632/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-30632 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30632 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-41099/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-41099 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-41099 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32675/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32675 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32675 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-34558/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2021-34558 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-34558 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-3807/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-3807 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-3807 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-35948/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-35948 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-35948 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-39321/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-39321 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-39321 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-30635/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-30635 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30635 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-43565/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-43565 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-43565 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-29923/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-29923 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-29923 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-23806/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-23806 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-23806 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0778/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-0778 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0778 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-25645/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-25645 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-25645 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32626/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32626 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32626 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-33623/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-33623 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-33623 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-25887/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-25887 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-25887 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-29526/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-29526 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-29526 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-25881/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-25881 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-25881 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-36067/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-36067 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-36067 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-1798/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-1798 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-1798 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-41912/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-41912 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-41912 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24723/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-24723 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24723 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24450/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24450 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24450 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-39318/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2023-39318 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-39318 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0235/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-0235 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0235 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24772/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24772 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24772 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0144/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-0144 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0144 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24771/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24771 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24771 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-3841/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-3841 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-3841 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-31150/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-31150 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-31150 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-41190/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2021-41190 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-41190 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2020-12242/pkg:oci/source@latest?","level":"error","message":{"text":"Vulnerability CVE-2020-12242 in pkg oci/source@latest?"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2020-12242 in pkg oci/source@latest?"}}]},{"ruleId":"CVE-2022-24778/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24778 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24778 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-2238/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-2238 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-2238 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-29810/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-29810 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-29810 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-39319/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2023-39319 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-39319 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-23555/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-23555 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-23555 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-30629/pkg:oci/node@20-alpine?tag=20-alpine","level":"note","message":{"text":"Vulnerability CVE-2022-30629 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30629 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24773/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-24773 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24773 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-28856/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2023-28856 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-28856 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-25896/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-25896 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-25896 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-3711/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-3711 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-3711 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-25858/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-25858 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-25858 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32687/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32687 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32687 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0155/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-0155 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0155 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-30630/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-30630 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30630 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-32313/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2023-32313 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-32313 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24999/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24999 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24999 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-28131/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-28131 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-28131 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-44487/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-44487 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-44487 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-37466/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-37466 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-37466 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2023-39325/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2023-39325 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2023-39325 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-30631/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-30631 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-30631 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-31129/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-31129 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-31129 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-3517/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-3517 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-3517 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-21803/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-21803 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-21803 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-32148/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-32148 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-32148 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32803/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32803 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32803 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-23017/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-23017 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-23017 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-35949/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-35949 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-35949 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-1705/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-1705 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-1705 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-27191/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-27191 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-27191 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32672/pkg:oci/node@20-alpine?tag=20-alpine","level":"note","message":{"text":"Vulnerability CVE-2021-32672 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32672 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-0536/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2022-0536 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-0536 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2022-24785/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2022-24785 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2022-24785 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-23566/pkg:oci/node@20-alpine?tag=20-alpine","level":"warning","message":{"text":"Vulnerability CVE-2021-23566 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-23566 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-32627/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-32627 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-32627 in pkg oci/node@20-alpine?tag=20-alpine"}}]},{"ruleId":"CVE-2021-3749/pkg:oci/node@20-alpine?tag=20-alpine","level":"error","message":{"text":"Vulnerability CVE-2021-3749 in pkg oci/node@20-alpine?tag=20-alpine"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lockfile","uriBaseId":"%SRCROOT%"},"region":{"startLine":1}},"message":{"text":"Vulnerability CVE-2021-3749 in pkg oci/node@20-alpine?tag=20-alpine"}}]}]}]}

package/gitleaks-c1.sarif

@@ -0,0 +1 @@
+{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"gitleaks","semanticVersion":"v8.0.0","informationUri":"https://github.com/gitleaks/gitleaks","properties":{"officialName":"gitleaks"},"rules":[]}},"results":[]}]}

package/gitleaks-c2.sarif

@@ -0,0 +1 @@
+{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"gitleaks","semanticVersion":"v8.0.0","informationUri":"https://github.com/gitleaks/gitleaks","properties":{"officialName":"gitleaks"},"rules":[]}},"results":[]}]}

package/opengrep-c1.sarif

@@ -0,0 +1 @@
+{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"opengrep","semanticVersion":"1.5.0","properties":{"officialName":"Opengrep OSS"},"rules":[{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"help":{"markdown":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"helpUri":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","id":"assets.dockerfile.security.missing-user.missing-user","name":"assets.dockerfile.security.missing-user.missing-user","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Opengrep Finding: assets.dockerfile.security.missing-user.missing-user"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n","text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","id":"assets.javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","name":"assets.javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","properties":{"precision":"very-high","tags":["CWE-134: Use of Externally-Controlled Format String","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Opengrep Finding: assets.javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring"}}]}},"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/src/pages/vulnerabilities/components/details/details-dialog.tsx:71:\n `satisfies Status` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/src/pages/vulnerabilities/components/table/table-controls.tsx:53:\n `satisfies Status` was unexpected"}}]}],"results":[{"fingerprints":{"matchBasedId/v1":"cd0744dca8359f4708edd5968aa71ddcfde55fdac2aa66ac9411123e84cb4e89092c22ae179a8171b07e87b04da842688a2ea789e64d5a39da438b1d4a62204f_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Dockerfile","uriBaseId":"%SRCROOT%"},"region":{"endColumn":52,"endLine":41,"snippet":{"text":"CMD [ \"npm\", \"run\", \"dev\", \"--\", \"--host=0.0.0.0\" ]"},"startColumn":1,"startLine":41}}}],"message":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"properties":{},"ruleId":"assets.dockerfile.security.missing-user.missing-user"},{"fingerprints":{"matchBasedId/v1":"7266ed342142f62ccbefe2234c22ca935d77775f6e97cf5384966065077932668f8be4fea5a2478b70f343ac443113a5e811065069db4bea43f541f74dbada22_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/components/settings/credentials/credentials-settings.tsx","uriBaseId":"%SRCROOT%"},"region":{"endColumn":86,"endLine":120,"snippet":{"text":"                console.error(`Could not parse expiry date ${cred.expiresAt} as date`, error)"},"startColumn":31,"startLine":120}}}],"message":{"text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"properties":{},"ruleId":"assets.javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring"}]}]}

package/opengrep-c2.sarif

@@ -0,0 +1 @@
+{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"opengrep","semanticVersion":"1.5.0","properties":{"officialName":"Opengrep OSS"},"rules":[{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"help":{"markdown":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"helpUri":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","id":"assets.dockerfile.security.missing-user.missing-user","name":"assets.dockerfile.security.missing-user.missing-user","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Opengrep Finding: assets.dockerfile.security.missing-user.missing-user"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n","text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","id":"assets.javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","name":"assets.javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","properties":{"precision":"very-high","tags":["CWE-134: Use of Externally-Controlled Format String","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Opengrep Finding: assets.javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring"}}]}},"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/src/pages/vulnerabilities/components/details/details-dialog.tsx:71:\n `satisfies Status` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/src/pages/vulnerabilities/components/table/table-controls.tsx:53:\n `satisfies Status` was unexpected"}}]}],"results":[{"fingerprints":{"matchBasedId/v1":"cd0744dca8359f4708edd5968aa71ddcfde55fdac2aa66ac9411123e84cb4e89092c22ae179a8171b07e87b04da842688a2ea789e64d5a39da438b1d4a62204f_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Dockerfile","uriBaseId":"%SRCROOT%"},"region":{"endColumn":52,"endLine":41,"snippet":{"text":"CMD [ \"npm\", \"run\", \"dev\", \"--\", \"--host=0.0.0.0\" ]"},"startColumn":1,"startLine":41}}}],"message":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"properties":{},"ruleId":"assets.dockerfile.security.missing-user.missing-user"},{"fingerprints":{"matchBasedId/v1":"7266ed342142f62ccbefe2234c22ca935d77775f6e97cf5384966065077932668f8be4fea5a2478b70f343ac443113a5e811065069db4bea43f541f74dbada22_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/components/settings/credentials/credentials-settings.tsx","uriBaseId":"%SRCROOT%"},"region":{"endColumn":86,"endLine":120,"snippet":{"text":"                console.error(`Could not parse expiry date ${cred.expiresAt} as date`, error)"},"startColumn":31,"startLine":120}}}],"message":{"text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"properties":{},"ruleId":"assets.javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring"}]}]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.3.3",
+  "version": "1.3.4",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/src/commands/scan.js

@@ -169,13 +169,24 @@ module.exports = {
     // Write findings to the destination SARIF file.
     if (outfile) fs.writeFileSync(outfile, JSON.stringify(results.sarif))
 
-    // Analyze scan findings: count findings by severity level.
-    const summary = await SARIF.analysis.summarize(results.sarif, target)
+    // Send telemetry: scan results.
+    if (isTelemetryEnabled && scanID) {
+      await telemetry.sendSensitive(`scans/:scanID/results`, { scanID }, { findings: results.sarif, log: results.log })
+    }
+
+    // Analyze scan results: group findings by severity level.
+    let summary
+    if (isTelemetryEnabled && scanID) {
+      const analysis = await telemetry.receiveSensitive(`scans/:scanID/summary`, { scanID })
+      if (!analysis?.summary) throw new Error(`Failed to retrieve analysis summary for scan '${scanID}'`)
+      summary = analysis.summary.findingsBySeverity
+    } else {
+      summary = await SARIF.analysis.summarize(results.sarif, target)
+    }
 
-    // Send telemetry.
+    // Send telemetry: scan summary.
     if (isTelemetryEnabled && scanID) {
       await telemetry.send(`scans/:scanID/completed`, { scanID }, summary)
-      await telemetry.sendSensitive(`scans/:scanID/results`, { scanID }, { findings: results.sarif, log: results.log })
     }
 
     // Display summarized findings.

package/src/telemetry/index.js

@@ -11,8 +11,26 @@ const enabled = () => {
   return false
 }
 
+const receive = async (path, params, token) => {
+  return fetch(toReceiveURL(path, params), {
+    method: 'GET',
+    headers: {
+      'Authorization': `Bearer ${token ?? process.env.EUREKA_AGENT_TOKEN}`,
+      'User-Agent': USER_AGENT,
+      'Accept': 'application/json'
+    }
+  }).then(async (res) => {    
+      const responseJson = await res.json();
+      return responseJson;
+    })
+  }
+
+const receiveSensitive = async (path, params) => {
+  return receive(path, params, await token())
+}
+
 const send = async (path, params, body, token) => {
-  return fetch(toURL(path, params), {
+  return fetch(toPostURL(path, params), {
     method: 'POST',
     headers: {
       'Authorization': `Bearer ${token ?? process.env.EUREKA_AGENT_TOKEN}`,
@@ -48,12 +66,17 @@ const token = async () => {
   return data.token
 }
 
-const toURL = (path, params) => {
+const toPostURL = (path, params) => {
   if (path === `scans/started`) return `${EWA_URL}/scans/started`
   if (path === `scans/:scanID/completed`) return `${EWA_URL}/scans/${params.scanID}/completed`
   if (path === `scans/:scanID/failed`) return `${EWA_URL}/scans/${params.scanID}/completed`
   if (path === `scans/:scanID/results`) return `${VDBE_URL}/scans/${params.scanID}/results`
-  throw new Error(`Internal Error: Unknown telemetry event: ${path}`)
+  throw new Error(`Internal Error: Unknown telemetry event: POST ${path}`)
+}
+
+const toReceiveURL = (path, params) => {
+  if (path === `scans/:scanID/summary`) return `${VDBE_URL}/scans/${params.scanID}/summary?profileId=${process.env.EUREKA_PROFILE}`
+  throw new Error(`Internal Error: Unknown telemetry event: GET ${path}`)
 }
 
 const toContentType = (path) => {
@@ -81,6 +104,8 @@ const toFindings = (summary) => ({
 
 module.exports = {
   enabled,
+  receive, 
+  receiveSensitive,
   send,
   sendSensitive
 }