nntc-ui 0.0.77 → 0.0.78

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/gl-container-scanning-report.json +1 -1
  2. package/gl-dependency-scanning-report.json +1 -1
  3. package/gl-sbom-report.cdx.json +1 -1
  4. package/package.json +1 -1
package/gl-container-scanning-report.json CHANGED
@@ -1 +1 @@
1
- {"vulnerabilities":[{"id":"20c6beef787e1a72add51a37acb19ec2f053be08","severity":"Medium","location":{"dependency":{"package":{"name":"busybox"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42363","value":"CVE-2023-42363","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42363"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15865"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42363"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42363"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.","solution":"Upgrade busybox to 1.36.1-r7"},{"id":"b68545decc11d03588bd503a8d17e9f4c2893a98","severity":"Medium","location":{"dependency":{"package":{"name":"busybox"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42364","value":"CVE-2023-42364","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42364"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15868"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42364"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42364"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.","solution":"Upgrade busybox to 1.36.1-r7"},{"id":"0fedaca15edeeab65e29d1ed3bc5c81e23d2a3a6","severity":"Medium","location":{"dependency":{"package":{"name":"busybox"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42365","value":"CVE-2023-42365","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42365"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15871"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42365"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42365"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.","solution":"Upgrade busybox to 1.36.1-r7"},{"id":"1a985b0fe4d55df1454db26489cbdd8674713827","severity":"Medium","location":{"dependency":{"package":{"name":"busybox"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42366","value":"CVE-2023-42366","url":"https://access.redhat.com/security/cve/CVE-2023-42366"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-42366"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15874"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42366"},{"url":"https://security.netapp.com/advisory/ntap-20241206-0007/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42366"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.","solution":"Upgrade busybox to 1.36.1-r6"},{"id":"05c030c2f7b166a3ca442be64f4428883b963145","severity":"Medium","location":{"dependency":{"package":{"name":"busybox-binsh"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42363","value":"CVE-2023-42363","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42363"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15865"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42363"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42363"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox-binsh:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.","solution":"Upgrade busybox-binsh to 1.36.1-r7"},{"id":"81f071afe66cf15e9a2a38e31cfe0de7c24ad5ef","severity":"Medium","location":{"dependency":{"package":{"name":"busybox-binsh"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42364","value":"CVE-2023-42364","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42364"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15868"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42364"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42364"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox-binsh:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.","solution":"Upgrade busybox-binsh to 1.36.1-r7"},{"id":"829b269b83ddfb5b0eb10ed64be24f04680ba5dc","severity":"Medium","location":{"dependency":{"package":{"name":"busybox-binsh"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42365","value":"CVE-2023-42365","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42365"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15871"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42365"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42365"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox-binsh:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.","solution":"Upgrade busybox-binsh to 1.36.1-r7"},{"id":"ac8b89a7af01d0350fe5c86af73d6e3aeb3e9e5f","severity":"Medium","location":{"dependency":{"package":{"name":"busybox-binsh"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42366","value":"CVE-2023-42366","url":"https://access.redhat.com/security/cve/CVE-2023-42366"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-42366"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15874"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42366"},{"url":"https://security.netapp.com/advisory/ntap-20241206-0007/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42366"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox-binsh:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.","solution":"Upgrade busybox-binsh to 1.36.1-r6"},{"id":"1bf848a25a09803762f26385917e319d53b280a9","severity":"High","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2398","value":"CVE-2024-2398","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/3"},{"url":"https://access.redhat.com/errata/RHSA-2024:5654"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2398"},{"url":"https://bugzilla.redhat.com/2270498"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270498"},{"url":"https://curl.se/docs/CVE-2024-2398.html"},{"url":"https://curl.se/docs/CVE-2024-2398.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2398"},{"url":"https://errata.almalinux.org/8/ALSA-2024-5654.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:5654"},{"url":"https://hackerone.com/reports/2402845"},{"url":"https://linux.oracle.com/cve/CVE-2024-2398.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-5654.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2398"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0009/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://ubuntu.com/security/notices/USN-6718-1"},{"url":"https://ubuntu.com/security/notices/USN-6718-2"},{"url":"https://ubuntu.com/security/notices/USN-6718-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2398"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.","solution":"Upgrade curl to 8.7.1-r0"},{"id":"bf61569f4d60a1945a9b508f292939cc2eaabe7d","severity":"High","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6197","value":"CVE-2024-6197","url":"http://www.openwall.com/lists/oss-security/2024/07/24/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/5"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6197"},{"url":"https://curl.se/docs/CVE-2024-6197.html"},{"url":"https://curl.se/docs/CVE-2024-6197.json"},{"url":"https://hackerone.com/reports/2559516"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6197"},{"url":"https://security.netapp.com/advisory/ntap-20241129-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6197"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.","solution":"Upgrade curl to 8.9.0-r0"},{"id":"ba873b4d972c3f371ad1ecf54ab23950ae561df9","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-0853","value":"CVE-2024-0853","url":"https://access.redhat.com/security/cve/CVE-2024-0853"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2024-0853"},{"url":"https://curl.se/docs/CVE-2024-0853.html"},{"url":"https://curl.se/docs/CVE-2024-0853.json"},{"url":"https://hackerone.com/reports/2298922"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0853"},{"url":"https://security.netapp.com/advisory/ntap-20240307-0004/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0009/"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0012/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-0853"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.","solution":"Upgrade curl to 8.6.0-r0"},{"id":"5a4e3f8bb5f7da57d2af13d2d408a6a04c720a20","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-11053","value":"CVE-2024-11053","url":"http://www.openwall.com/lists/oss-security/2024/12/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/12/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-11053"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294676"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2301888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318857"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318858"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318870"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318873"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318874"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318876"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318882"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318883"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318884"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318886"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318897"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318905"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318914"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318922"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318923"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318925"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318926"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318927"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331191"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339218"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339220"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339221"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339226"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339231"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339236"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339238"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339247"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339252"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339259"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339266"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339270"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339271"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339275"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339277"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339281"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339293"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339299"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339300"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339304"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339305"},{"url":"https://curl.se/docs/CVE-2024-11053.html"},{"url":"https://curl.se/docs/CVE-2024-11053.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21193"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21194"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21196"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21197"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21198"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21199"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21201"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21203"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21212"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21213"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21218"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21219"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21230"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21231"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21236"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21238"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21239"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21241"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21247"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37371"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21494"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21497"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21500"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21501"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21503"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21504"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21505"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21518"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21519"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21520"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21521"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21523"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21525"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21529"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21531"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21534"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21540"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21543"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21546"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21555"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21559"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:1671"},{"url":"https://hackerone.com/reports/2829063"},{"url":"https://linux.oracle.com/cve/CVE-2024-11053.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11053"},{"url":"https://security.netapp.com/advisory/ntap-20250124-0012/"},{"url":"https://security.netapp.com/advisory/ntap-20250131-0003/"},{"url":"https://security.netapp.com/advisory/ntap-20250131-0004/"},{"url":"https://ubuntu.com/security/notices/USN-7162-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-11053"},{"url":"https://www.oracle.com/security-alerts/cpujan2025.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password.","solution":"Upgrade curl to 8.11.1-r0"},{"id":"e2007b8614f1a30dde9687a23ee183ac94896d1d","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2004","value":"CVE-2024-2004","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2004"},{"url":"https://curl.se/docs/CVE-2024-2004.html"},{"url":"https://curl.se/docs/CVE-2024-2004.json"},{"url":"https://hackerone.com/reports/2384833"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2004"},{"url":"https://security.netapp.com/advisory/ntap-20240524-0006/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://ubuntu.com/security/notices/USN-6718-1"},{"url":"https://ubuntu.com/security/notices/USN-6718-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2004"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.","solution":"Upgrade curl to 8.7.1-r0"},{"id":"632c73225513f9fa97cc097ff3ca52281afd6b86","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2379","value":"CVE-2024-2379","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2379"},{"url":"https://curl.se/docs/CVE-2024-2379.html"},{"url":"https://curl.se/docs/CVE-2024-2379.json"},{"url":"https://hackerone.com/reports/2410774"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2379"},{"url":"https://security.netapp.com/advisory/ntap-20240531-0001/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2379"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.","solution":"Upgrade curl to 8.7.1-r0"},{"id":"585b62551db8036835822f1386b8addc288d3622","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2466","value":"CVE-2024-2466","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/4"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2466"},{"url":"https://curl.se/docs/CVE-2024-2466.html"},{"url":"https://curl.se/docs/CVE-2024-2466.json"},{"url":"https://hackerone.com/reports/2416725"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2466"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0010/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2466"},{"url":"https://www.vicarius.io/vsociety/posts/tls-certificate-check-bypass-curl-with-mbedtls-cve-2024-2466-2468"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).","solution":"Upgrade curl to 8.7.1-r0"},{"id":"14e95c4b76069ce3d5406085f072686a3a7089f2","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6874","value":"CVE-2024-6874","url":"http://www.openwall.com/lists/oss-security/2024/07/24/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6874"},{"url":"https://curl.se/docs/CVE-2024-6874.html"},{"url":"https://curl.se/docs/CVE-2024-6874.json"},{"url":"https://hackerone.com/reports/2604391"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6874"},{"url":"https://security.netapp.com/advisory/ntap-20240822-0004/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6874"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string.","solution":"Upgrade curl to 8.9.0-r0"},{"id":"b77ad979ac8d0a75c70ab106438fbbf2c30aae06","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-7264","value":"CVE-2024-7264","url":"http://www.openwall.com/lists/oss-security/2024/07/31/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/31/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-7264"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294676"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2301888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318857"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318858"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318870"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318873"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318874"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318876"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318882"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318883"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318884"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318886"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318897"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318905"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318914"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318922"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318923"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318925"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318926"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318927"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331191"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339218"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339220"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339221"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339226"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339231"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339236"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339238"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339247"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339252"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339259"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339266"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339270"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339271"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339275"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339277"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339281"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339293"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339299"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339300"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339304"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339305"},{"url":"https://curl.se/docs/CVE-2024-7264.html"},{"url":"https://curl.se/docs/CVE-2024-7264.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21193"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21194"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21196"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21197"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21198"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21199"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21201"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21203"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21212"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21213"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21218"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21219"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21230"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21231"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21236"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21238"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21239"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21241"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21247"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37371"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21494"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21497"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21500"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21501"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21503"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21504"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21505"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21518"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21519"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21520"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21521"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21523"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21525"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21529"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21531"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21534"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21540"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21543"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21546"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21555"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21559"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:1671"},{"url":"https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519"},{"url":"https://hackerone.com/reports/2629968"},{"url":"https://linux.oracle.com/cve/CVE-2024-7264.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-7264"},{"url":"https://security.netapp.com/advisory/ntap-20240828-0008/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0006/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0010/"},{"url":"https://ubuntu.com/security/notices/USN-6944-1"},{"url":"https://ubuntu.com/security/notices/USN-6944-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-7264"},{"url":"https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.","solution":"Upgrade curl to 8.9.1-r0"},{"id":"585c3eeae4510521a81a90598a636d8a4e0dfcdc","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-8096","value":"CVE-2024-8096","url":"http://www.openwall.com/lists/oss-security/2024/09/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/09/11/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-8096"},{"url":"https://curl.se/docs/CVE-2024-8096.html"},{"url":"https://curl.se/docs/CVE-2024-8096.json"},{"url":"https://hackerone.com/reports/2669852"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8096"},{"url":"https://security.netapp.com/advisory/ntap-20241011-0005/"},{"url":"https://ubuntu.com/security/notices/USN-7012-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-8096"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.","solution":"Upgrade curl to 8.10.0-r0"},{"id":"c5a798cb043745e91a36743941bf48fc962aed01","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-9681","value":"CVE-2024-9681","url":"http://seclists.org/fulldisclosure/2025/Apr/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2025/Apr/10"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/11"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/12"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/13"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/4"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/5"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/8"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/9"},{"url":"http://www.openwall.com/lists/oss-security/2024/11/06/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-9681"},{"url":"https://curl.se/docs/CVE-2024-9681.html"},{"url":"https://curl.se/docs/CVE-2024-9681.json"},{"url":"https://hackerone.com/reports/2764830"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9681"},{"url":"https://security.netapp.com/advisory/ntap-20241213-0006/"},{"url":"https://ubuntu.com/security/notices/USN-7104-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-9681"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.","solution":"Upgrade curl to 8.11.0-r0"},{"id":"f53531d040cdd1744e03d4fb43d5febdd6a0aa12","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0665","value":"CVE-2025-0665","url":"http://www.openwall.com/lists/oss-security/2025/02/05/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/5"},{"url":"https://access.redhat.com/security/cve/CVE-2025-0665"},{"url":"https://curl.se/docs/CVE-2025-0665.html"},{"url":"https://curl.se/docs/CVE-2025-0665.json"},{"url":"https://hackerone.com/reports/2954286"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0665"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0007/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0665"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl would wrongly close the same eventfd file descriptor twice when taking\ndown a connection channel after having completed a threaded name resolve.","solution":"Upgrade curl to 8.12.0-r0"},{"id":"90c3fb00a9001bad1553c9495742eb0d21967068","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0725","value":"CVE-2025-0725","url":"http://www.openwall.com/lists/oss-security/2025/02/05/3"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/3"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/06/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/06/4"},{"url":"https://access.redhat.com/security/cve/CVE-2025-0725"},{"url":"https://curl.se/docs/CVE-2025-0725.html"},{"url":"https://curl.se/docs/CVE-2025-0725.json"},{"url":"https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7"},{"url":"https://hackerone.com/reports/2956023"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0725"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0009/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0725"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When libcurl is asked to perform automatic gzip decompression of\ncontent-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,\n**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would\nmake libcurl perform a buffer overflow.","solution":"Upgrade curl to 8.12.0-r0"},{"id":"d5470075347d175e66fb1caa926b4a1590cf9bed","severity":"Low","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0167","value":"CVE-2025-0167","url":"https://curl.se/docs/CVE-2025-0167.html"}],"links":[{"url":"https://curl.se/docs/CVE-2025-0167.html"},{"url":"https://curl.se/docs/CVE-2025-0167.json"},{"url":"https://hackerone.com/reports/2917232"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0167"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0167"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When asked to use a `.netrc` file for credentials **and** to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has a `default` entry that\nomits both login and password. A rare circumstance.","solution":"Upgrade curl to 8.12.0-r0"},{"id":"4fe50934b51a892374de0ab4dfc8d80bdb765559","severity":"High","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6119","value":"CVE-2024-6119","url":"http://www.openwall.com/lists/oss-security/2024/09/03/4"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/09/03/4"},{"url":"https://access.redhat.com/errata/RHSA-2024:8935"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6119"},{"url":"https://bugzilla.redhat.com/2306158"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2306158"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6119"},{"url":"https://errata.almalinux.org/9/ALSA-2024-8935.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:6783"},{"url":"https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f"},{"url":"https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6"},{"url":"https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2"},{"url":"https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0"},{"url":"https://github.com/openssl/openssl/security/advisories/GHSA-5qrj-vq78-58fj"},{"url":"https://linux.oracle.com/cve/CVE-2024-6119.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-8935.html"},{"url":"https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6119"},{"url":"https://openssl-library.org/news/secadv/20240903.txt"},{"url":"https://security.netapp.com/advisory/ntap-20240912-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6986-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6119"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.7-r0"},{"id":"dca4673e12d14b66f37a0bd978d9876f58d4b5ce","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-6129","value":"CVE-2023-6129","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2023-6129"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35"},{"url":"https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04"},{"url":"https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015"},{"url":"https://linux.oracle.com/cve/CVE-2023-6129.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6129"},{"url":"https://security.netapp.com/advisory/ntap-20240216-0009/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0008/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0013/"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0011/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-6129"},{"url":"https://www.openssl.org/news/secadv/20240109.txt"},{"url":"https://www.openwall.com/lists/oss-security/2024/01/09/1"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.","solution":"Upgrade libcrypto3 to 3.1.4-r3"},{"id":"aae8b2074e5f8610501a0a62e2560d0c20edea42","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-6237","value":"CVE-2023-6237","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2023-6237"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d"},{"url":"https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a"},{"url":"https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294"},{"url":"https://linux.oracle.com/cve/CVE-2023-6237.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6237"},{"url":"https://security.netapp.com/advisory/ntap-20240531-0007/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-6237"},{"url":"https://www.openssl.org/news/secadv/20240115.txt"},{"url":"https://www.openwall.com/lists/oss-security/2024/01/15/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.4-r4"},{"id":"bb048a3650267cb6552eb767e16f2245af572f78","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-0727","value":"CVE-2024-0727","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2024-0727"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2"},{"url":"https://github.com/github/advisory-database/pull/3472"},{"url":"https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2"},{"url":"https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a"},{"url":"https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c"},{"url":"https://github.com/openssl/openssl/pull/23362"},{"url":"https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539"},{"url":"https://linux.oracle.com/cve/CVE-2024-0727.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0727"},{"url":"https://security.netapp.com/advisory/ntap-20240208-0006"},{"url":"https://security.netapp.com/advisory/ntap-20240208-0006/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://ubuntu.com/security/notices/USN-6632-1"},{"url":"https://ubuntu.com/security/notices/USN-6709-1"},{"url":"https://ubuntu.com/security/notices/USN-7018-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-0727"},{"url":"https://www.openssl.org/news/secadv/20240125.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.4-r5"},{"id":"a65128e06964f3bcd936e844776a3a4191dc8a54","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-13176","value":"CVE-2024-13176","url":"http://www.openwall.com/lists/oss-security/2025/01/20/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/01/20/2"},{"url":"https://access.redhat.com/errata/RHSA-2025:15699"},{"url":"https://access.redhat.com/security/cve/CVE-2024-13176"},{"url":"https://bugzilla.redhat.com/2359885"},{"url":"https://bugzilla.redhat.com/2359888"},{"url":"https://bugzilla.redhat.com/2359892"},{"url":"https://bugzilla.redhat.com/2359894"},{"url":"https://bugzilla.redhat.com/2359895"},{"url":"https://bugzilla.redhat.com/2359899"},{"url":"https://bugzilla.redhat.com/2359900"},{"url":"https://bugzilla.redhat.com/2359902"},{"url":"https://bugzilla.redhat.com/2359903"},{"url":"https://bugzilla.redhat.com/2359911"},{"url":"https://bugzilla.redhat.com/2359918"},{"url":"https://bugzilla.redhat.com/2359920"},{"url":"https://bugzilla.redhat.com/2359924"},{"url":"https://bugzilla.redhat.com/2359928"},{"url":"https://bugzilla.redhat.com/2359930"},{"url":"https://bugzilla.redhat.com/2359932"},{"url":"https://bugzilla.redhat.com/2359934"},{"url":"https://bugzilla.redhat.com/2359938"},{"url":"https://bugzilla.redhat.com/2359940"},{"url":"https://bugzilla.redhat.com/2359943"},{"url":"https://bugzilla.redhat.com/2359944"},{"url":"https://bugzilla.redhat.com/2359945"},{"url":"https://bugzilla.redhat.com/2359947"},{"url":"https://bugzilla.redhat.com/2359950"},{"url":"https://bugzilla.redhat.com/2359963"},{"url":"https://bugzilla.redhat.com/2359964"},{"url":"https://bugzilla.redhat.com/2359972"},{"url":"https://bugzilla.redhat.com/2370920"},{"url":"https://bugzilla.redhat.com/2380264"},{"url":"https://bugzilla.redhat.com/2380273"},{"url":"https://bugzilla.redhat.com/2380274"},{"url":"https://bugzilla.redhat.com/2380278"},{"url":"https://bugzilla.redhat.com/2380280"},{"url":"https://bugzilla.redhat.com/2380283"},{"url":"https://bugzilla.redhat.com/2380284"},{"url":"https://bugzilla.redhat.com/2380290"},{"url":"https://bugzilla.redhat.com/2380291"},{"url":"https://bugzilla.redhat.com/2380295"},{"url":"https://bugzilla.redhat.com/2380298"},{"url":"https://bugzilla.redhat.com/2380306"},{"url":"https://bugzilla.redhat.com/2380308"},{"url":"https://bugzilla.redhat.com/2380309"},{"url":"https://bugzilla.redhat.com/2380310"},{"url":"https://bugzilla.redhat.com/2380312"},{"url":"https://bugzilla.redhat.com/2380313"},{"url":"https://bugzilla.redhat.com/2380320"},{"url":"https://bugzilla.redhat.com/2380321"},{"url":"https://bugzilla.redhat.com/2380322"},{"url":"https://bugzilla.redhat.com/2380326"},{"url":"https://bugzilla.redhat.com/2380327"},{"url":"https://bugzilla.redhat.com/2380334"},{"url":"https://bugzilla.redhat.com/2380335"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2338999"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359892"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359894"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359895"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359899"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359902"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359903"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359911"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359918"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359920"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359924"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359928"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359930"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359932"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359934"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359938"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359940"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359943"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359945"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359947"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359950"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359963"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359964"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359972"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2370920"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380264"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380273"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380274"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380278"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380280"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380283"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380290"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380298"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380306"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380308"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380309"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380310"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380312"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380313"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380320"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380321"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380322"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380326"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380327"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380334"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380335"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21574"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21575"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21577"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21579"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21580"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21584"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21585"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21588"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30681"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30682"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30683"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30684"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30685"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30687"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30688"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30689"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30693"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30695"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30696"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30699"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30703"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30704"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30705"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30715"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30721"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30722"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50077"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50078"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50079"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50080"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50081"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50082"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50083"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50084"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50085"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50086"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50087"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50088"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50091"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50092"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50093"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50094"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50096"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50097"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50098"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50099"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50100"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50101"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50102"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50104"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5399"},{"url":"https://errata.almalinux.org/10/ALSA-2025-15699.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:15699"},{"url":"https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844"},{"url":"https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467"},{"url":"https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902"},{"url":"https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65"},{"url":"https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86"},{"url":"https://linux.oracle.com/cve/CVE-2024-13176.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-16046.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-13176"},{"url":"https://openssl-library.org/news/secadv/20250120.txt"},{"url":"https://security.netapp.com/advisory/ntap-20250124-0005/"},{"url":"https://security.netapp.com/advisory/ntap-20250418-0010/"},{"url":"https://security.netapp.com/advisory/ntap-20250502-0006/"},{"url":"https://ubuntu.com/security/notices/USN-7264-1"},{"url":"https://ubuntu.com/security/notices/USN-7278-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-13176"},{"url":"https://www.oracle.com/security-alerts/cpuapr2025.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: A timing side-channel which could potentially allow recovering\nthe private key exists in the ECDSA signature computation.\n\nImpact summary: A timing side-channel in ECDSA signature computations\ncould allow recovering the private key by an attacker. However, measuring\nthe timing would require either local access to the signing application or\na very fast network connection with low latency.\n\nThere is a timing signal of around 300 nanoseconds when the top word of\nthe inverted ECDSA nonce value is zero. This can happen with significant\nprobability only for some of the supported elliptic curves. In particular\nthe NIST P-521 curve is affected. To be able to measure this leak, the attacker\nprocess must either be located in the same physical computer or must\nhave a very fast network connection with low latency. For that reason\nthe severity of this vulnerability is Low.\n\nThe FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.8-r0"},{"id":"ade4671aea253a50bce2a9c62d1d912812adf2d6","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-4603","value":"CVE-2024-4603","url":"http://www.openwall.com/lists/oss-security/2024/05/16/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/05/16/2"},{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-4603"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397"},{"url":"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e"},{"url":"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d"},{"url":"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740"},{"url":"https://linux.oracle.com/cve/CVE-2024-4603.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4603"},{"url":"https://security.netapp.com/advisory/ntap-20240621-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-4603"},{"url":"https://www.openssl.org/news/secadv/20240516.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.5-r0"},{"id":"e74faee0e2bd6aede5c4b9aae080a8a1b4f51e47","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-4741","value":"CVE-2024-4741","url":"https://access.redhat.com/errata/RHSA-2024:9333"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-4741"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177"},{"url":"https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d"},{"url":"https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac"},{"url":"https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4"},{"url":"https://linux.oracle.com/cve/CVE-2024-4741.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4741"},{"url":"https://security.netapp.com/advisory/ntap-20240621-0004/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-4741"},{"url":"https://www.openssl.org/news/secadv/20240528.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.6-r0"},{"id":"b5e54ca9024224227c416ff52a6d009323bf3e77","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-5535","value":"CVE-2024-5535","url":"http://www.openwall.com/lists/oss-security/2024/06/27/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/06/27/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/06/28/4"},{"url":"http://www.openwall.com/lists/oss-security/2024/08/15/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-5535"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37"},{"url":"https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e"},{"url":"https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c"},{"url":"https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87"},{"url":"https://linux.oracle.com/cve/CVE-2024-5535.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5535"},{"url":"https://openssl.org/news/secadv/20240627.txt"},{"url":"https://security.netapp.com/advisory/ntap-20240712-0005/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0006/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0010/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-5535"},{"url":"https://www.openssl.org/news/secadv/20240627.txt"},{"url":"https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.","solution":"Upgrade libcrypto3 to 3.1.6-r0"},{"id":"d7b342e6861a428ef2c2baddebdfb00d5fe7bf52","severity":"Low","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2511","value":"CVE-2024-2511","url":"http://www.openwall.com/lists/oss-security/2024/04/08/5"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/04/08/5"},{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2511"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce"},{"url":"https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d"},{"url":"https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640"},{"url":"https://linux.oracle.com/cve/CVE-2024-2511.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2511"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0013/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2511"},{"url":"https://www.openssl.org/news/secadv/20240408.txt"},{"url":"https://www.openssl.org/news/vulnerabilities.html"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.4-r6"},{"id":"4b41241062c3b166497b3bba3932a9df74e207d4","severity":"Low","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-9143","value":"CVE-2024-9143","url":"http://www.openwall.com/lists/oss-security/2024/10/16/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/10/16/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/10/23/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/10/24/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-9143"},{"url":"https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712"},{"url":"https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700"},{"url":"https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4"},{"url":"https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9143"},{"url":"https://openssl-library.org/news/secadv/20241016.txt"},{"url":"https://security.netapp.com/advisory/ntap-20241101-0001/"},{"url":"https://ubuntu.com/security/notices/USN-7264-1"},{"url":"https://ubuntu.com/security/notices/USN-7278-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-9143"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates. Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds. Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.7-r1"},{"id":"924719b3263a459f888ab24a8bf17c316cb8868f","severity":"High","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2398","value":"CVE-2024-2398","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/3"},{"url":"https://access.redhat.com/errata/RHSA-2024:5654"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2398"},{"url":"https://bugzilla.redhat.com/2270498"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270498"},{"url":"https://curl.se/docs/CVE-2024-2398.html"},{"url":"https://curl.se/docs/CVE-2024-2398.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2398"},{"url":"https://errata.almalinux.org/8/ALSA-2024-5654.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:5654"},{"url":"https://hackerone.com/reports/2402845"},{"url":"https://linux.oracle.com/cve/CVE-2024-2398.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-5654.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2398"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0009/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://ubuntu.com/security/notices/USN-6718-1"},{"url":"https://ubuntu.com/security/notices/USN-6718-2"},{"url":"https://ubuntu.com/security/notices/USN-6718-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2398"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.","solution":"Upgrade libcurl to 8.7.1-r0"},{"id":"73f0c41938cea3799c81887a9290eb1f12b7183d","severity":"High","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6197","value":"CVE-2024-6197","url":"http://www.openwall.com/lists/oss-security/2024/07/24/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/5"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6197"},{"url":"https://curl.se/docs/CVE-2024-6197.html"},{"url":"https://curl.se/docs/CVE-2024-6197.json"},{"url":"https://hackerone.com/reports/2559516"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6197"},{"url":"https://security.netapp.com/advisory/ntap-20241129-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6197"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.","solution":"Upgrade libcurl to 8.9.0-r0"},{"id":"975157bbce99365afb98a362a4fa28c6a1adb879","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-0853","value":"CVE-2024-0853","url":"https://access.redhat.com/security/cve/CVE-2024-0853"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2024-0853"},{"url":"https://curl.se/docs/CVE-2024-0853.html"},{"url":"https://curl.se/docs/CVE-2024-0853.json"},{"url":"https://hackerone.com/reports/2298922"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0853"},{"url":"https://security.netapp.com/advisory/ntap-20240307-0004/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0009/"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0012/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-0853"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.","solution":"Upgrade libcurl to 8.6.0-r0"},{"id":"896f8b8a68bcfde8368fbb1a55c9107a431f17b8","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-11053","value":"CVE-2024-11053","url":"http://www.openwall.com/lists/oss-security/2024/12/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/12/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-11053"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294676"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2301888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318857"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318858"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318870"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318873"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318874"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318876"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318882"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318883"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318884"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318886"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318897"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318905"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318914"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318922"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318923"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318925"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318926"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318927"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331191"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339218"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339220"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339221"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339226"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339231"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339236"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339238"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339247"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339252"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339259"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339266"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339270"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339271"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339275"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339277"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339281"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339293"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339299"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339300"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339304"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339305"},{"url":"https://curl.se/docs/CVE-2024-11053.html"},{"url":"https://curl.se/docs/CVE-2024-11053.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21193"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21194"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21196"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21197"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21198"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21199"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21201"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21203"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21212"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21213"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21218"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21219"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21230"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21231"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21236"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21238"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21239"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21241"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21247"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37371"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21494"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21497"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21500"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21501"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21503"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21504"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21505"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21518"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21519"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21520"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21521"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21523"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21525"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21529"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21531"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21534"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21540"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21543"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21546"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21555"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21559"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:1671"},{"url":"https://hackerone.com/reports/2829063"},{"url":"https://linux.oracle.com/cve/CVE-2024-11053.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11053"},{"url":"https://security.netapp.com/advisory/ntap-20250124-0012/"},{"url":"https://security.netapp.com/advisory/ntap-20250131-0003/"},{"url":"https://security.netapp.com/advisory/ntap-20250131-0004/"},{"url":"https://ubuntu.com/security/notices/USN-7162-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-11053"},{"url":"https://www.oracle.com/security-alerts/cpujan2025.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password.","solution":"Upgrade libcurl to 8.11.1-r0"},{"id":"d7fe98dbdcea2dfb045a784f81315cdf55664bd1","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2004","value":"CVE-2024-2004","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2004"},{"url":"https://curl.se/docs/CVE-2024-2004.html"},{"url":"https://curl.se/docs/CVE-2024-2004.json"},{"url":"https://hackerone.com/reports/2384833"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2004"},{"url":"https://security.netapp.com/advisory/ntap-20240524-0006/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://ubuntu.com/security/notices/USN-6718-1"},{"url":"https://ubuntu.com/security/notices/USN-6718-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2004"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.","solution":"Upgrade libcurl to 8.7.1-r0"},{"id":"404657348860f3e080e5588c288953c8eccf7096","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2379","value":"CVE-2024-2379","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2379"},{"url":"https://curl.se/docs/CVE-2024-2379.html"},{"url":"https://curl.se/docs/CVE-2024-2379.json"},{"url":"https://hackerone.com/reports/2410774"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2379"},{"url":"https://security.netapp.com/advisory/ntap-20240531-0001/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2379"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.","solution":"Upgrade libcurl to 8.7.1-r0"},{"id":"8e0b55c2c7e0b2eb9575984c009d766b28dbb68e","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2466","value":"CVE-2024-2466","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/4"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2466"},{"url":"https://curl.se/docs/CVE-2024-2466.html"},{"url":"https://curl.se/docs/CVE-2024-2466.json"},{"url":"https://hackerone.com/reports/2416725"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2466"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0010/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2466"},{"url":"https://www.vicarius.io/vsociety/posts/tls-certificate-check-bypass-curl-with-mbedtls-cve-2024-2466-2468"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).","solution":"Upgrade libcurl to 8.7.1-r0"},{"id":"1fd2a4d77e4ca7aa4b3e727d58c9c046f4a6cc04","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6874","value":"CVE-2024-6874","url":"http://www.openwall.com/lists/oss-security/2024/07/24/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6874"},{"url":"https://curl.se/docs/CVE-2024-6874.html"},{"url":"https://curl.se/docs/CVE-2024-6874.json"},{"url":"https://hackerone.com/reports/2604391"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6874"},{"url":"https://security.netapp.com/advisory/ntap-20240822-0004/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6874"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string.","solution":"Upgrade libcurl to 8.9.0-r0"},{"id":"4f26684d498dc5048d3aa8129bb465718171ad5d","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-7264","value":"CVE-2024-7264","url":"http://www.openwall.com/lists/oss-security/2024/07/31/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/31/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-7264"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294676"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2301888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318857"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318858"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318870"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318873"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318874"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318876"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318882"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318883"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318884"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318886"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318897"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318905"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318914"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318922"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318923"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318925"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318926"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318927"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331191"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339218"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339220"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339221"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339226"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339231"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339236"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339238"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339247"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339252"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339259"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339266"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339270"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339271"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339275"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339277"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339281"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339293"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339299"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339300"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339304"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339305"},{"url":"https://curl.se/docs/CVE-2024-7264.html"},{"url":"https://curl.se/docs/CVE-2024-7264.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21193"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21194"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21196"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21197"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21198"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21199"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21201"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21203"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21212"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21213"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21218"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21219"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21230"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21231"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21236"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21238"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21239"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21241"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21247"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37371"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21494"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21497"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21500"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21501"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21503"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21504"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21505"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21518"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21519"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21520"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21521"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21523"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21525"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21529"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21531"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21534"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21540"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21543"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21546"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21555"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21559"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:1671"},{"url":"https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519"},{"url":"https://hackerone.com/reports/2629968"},{"url":"https://linux.oracle.com/cve/CVE-2024-7264.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-7264"},{"url":"https://security.netapp.com/advisory/ntap-20240828-0008/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0006/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0010/"},{"url":"https://ubuntu.com/security/notices/USN-6944-1"},{"url":"https://ubuntu.com/security/notices/USN-6944-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-7264"},{"url":"https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.","solution":"Upgrade libcurl to 8.9.1-r0"},{"id":"499b502da210845158e322e2d4035bdea7fc9361","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-8096","value":"CVE-2024-8096","url":"http://www.openwall.com/lists/oss-security/2024/09/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/09/11/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-8096"},{"url":"https://curl.se/docs/CVE-2024-8096.html"},{"url":"https://curl.se/docs/CVE-2024-8096.json"},{"url":"https://hackerone.com/reports/2669852"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8096"},{"url":"https://security.netapp.com/advisory/ntap-20241011-0005/"},{"url":"https://ubuntu.com/security/notices/USN-7012-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-8096"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.","solution":"Upgrade libcurl to 8.10.0-r0"},{"id":"07f1e7301844cb8f3f6068b6baad36bbc0573e94","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-9681","value":"CVE-2024-9681","url":"http://seclists.org/fulldisclosure/2025/Apr/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2025/Apr/10"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/11"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/12"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/13"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/4"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/5"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/8"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/9"},{"url":"http://www.openwall.com/lists/oss-security/2024/11/06/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-9681"},{"url":"https://curl.se/docs/CVE-2024-9681.html"},{"url":"https://curl.se/docs/CVE-2024-9681.json"},{"url":"https://hackerone.com/reports/2764830"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9681"},{"url":"https://security.netapp.com/advisory/ntap-20241213-0006/"},{"url":"https://ubuntu.com/security/notices/USN-7104-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-9681"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.","solution":"Upgrade libcurl to 8.11.0-r0"},{"id":"5b2915af4d433101002b92fd5d6c2ae4de34f7f5","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0665","value":"CVE-2025-0665","url":"http://www.openwall.com/lists/oss-security/2025/02/05/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/5"},{"url":"https://access.redhat.com/security/cve/CVE-2025-0665"},{"url":"https://curl.se/docs/CVE-2025-0665.html"},{"url":"https://curl.se/docs/CVE-2025-0665.json"},{"url":"https://hackerone.com/reports/2954286"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0665"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0007/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0665"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl would wrongly close the same eventfd file descriptor twice when taking\ndown a connection channel after having completed a threaded name resolve.","solution":"Upgrade libcurl to 8.12.0-r0"},{"id":"3b4a56567f1a2f535f744d5b2ec7b439169b4dbe","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0725","value":"CVE-2025-0725","url":"http://www.openwall.com/lists/oss-security/2025/02/05/3"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/3"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/06/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/06/4"},{"url":"https://access.redhat.com/security/cve/CVE-2025-0725"},{"url":"https://curl.se/docs/CVE-2025-0725.html"},{"url":"https://curl.se/docs/CVE-2025-0725.json"},{"url":"https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7"},{"url":"https://hackerone.com/reports/2956023"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0725"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0009/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0725"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When libcurl is asked to perform automatic gzip decompression of\ncontent-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,\n**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would\nmake libcurl perform a buffer overflow.","solution":"Upgrade libcurl to 8.12.0-r0"},{"id":"8d0d326ba63844e2920b6773fddc6d8679b9db46","severity":"Low","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0167","value":"CVE-2025-0167","url":"https://curl.se/docs/CVE-2025-0167.html"}],"links":[{"url":"https://curl.se/docs/CVE-2025-0167.html"},{"url":"https://curl.se/docs/CVE-2025-0167.json"},{"url":"https://hackerone.com/reports/2917232"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0167"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0167"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When asked to use a `.netrc` file for credentials **and** to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has a `default` entry that\nomits both login and password. A rare circumstance.","solution":"Upgrade libcurl to 8.12.0-r0"},{"id":"d2d4aeaec58fbcb35c3137a963eec5e63e454d81","severity":"Critical","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-45491","value":"CVE-2024-45491","url":"https://access.redhat.com/errata/RHSA-2024:8859"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:8859"},{"url":"https://access.redhat.com/security/cve/CVE-2024-45491"},{"url":"https://bugzilla.redhat.com/2308616"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308615"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308616"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308617"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45492"},{"url":"https://errata.almalinux.org/8/ALSA-2024-8859.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:6754"},{"url":"https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes"},{"url":"https://github.com/libexpat/libexpat/issues/888"},{"url":"https://github.com/libexpat/libexpat/pull/891"},{"url":"https://linux.oracle.com/cve/CVE-2024-45491.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-8859.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45491"},{"url":"https://security.netapp.com/advisory/ntap-20241018-0003/"},{"url":"https://ubuntu.com/security/notices/USN-7000-1"},{"url":"https://ubuntu.com/security/notices/USN-7000-2"},{"url":"https://ubuntu.com/security/notices/USN-7001-1"},{"url":"https://ubuntu.com/security/notices/USN-7001-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-45491"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).","solution":"Upgrade libexpat to 2.6.3-r0"},{"id":"e460c01642dd50952eb9990e1a2003458a6f0946","severity":"Critical","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-45492","value":"CVE-2024-45492","url":"https://access.redhat.com/errata/RHSA-2024:6989"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:6989"},{"url":"https://access.redhat.com/security/cve/CVE-2024-45492"},{"url":"https://bugzilla.redhat.com/2308615"},{"url":"https://bugzilla.redhat.com/2308616"},{"url":"https://bugzilla.redhat.com/2308617"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308615"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308616"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308617"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45492"},{"url":"https://errata.almalinux.org/8/ALSA-2024-6989.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:6754"},{"url":"https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes"},{"url":"https://github.com/libexpat/libexpat/issues/889"},{"url":"https://github.com/libexpat/libexpat/pull/892"},{"url":"https://linux.oracle.com/cve/CVE-2024-45492.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-6989.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45492"},{"url":"https://security.netapp.com/advisory/ntap-20241018-0005/"},{"url":"https://ubuntu.com/security/notices/USN-7000-1"},{"url":"https://ubuntu.com/security/notices/USN-7000-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-45492"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).","solution":"Upgrade libexpat to 2.6.3-r0"},{"id":"cf5553533d4669134d182dc4cdea7137aa0fb7af","severity":"High","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-52425","value":"CVE-2023-52425","url":"http://www.openwall.com/lists/oss-security/2024/03/20/5"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/20/5"},{"url":"https://access.redhat.com/errata/RHSA-2024:4259"},{"url":"https://access.redhat.com/security/cve/CVE-2023-52425"},{"url":"https://bugzilla.redhat.com/2262877"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2262877"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425"},{"url":"https://errata.almalinux.org/8/ALSA-2024-4259.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:1615"},{"url":"https://github.com/libexpat/libexpat/pull/789"},{"url":"https://linux.oracle.com/cve/CVE-2023-52425.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-4259.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/04/msg00006.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52425"},{"url":"https://security.netapp.com/advisory/ntap-20240614-0003/"},{"url":"https://ubuntu.com/security/notices/USN-6694-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-52425"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.","solution":"Upgrade libexpat to 2.6.0-r0"},{"id":"a8c03e60e4d901019e954c408a91ade79d4153b2","severity":"High","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-28757","value":"CVE-2024-28757","url":"http://www.openwall.com/lists/oss-security/2024/03/15/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/15/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:1530"},{"url":"https://access.redhat.com/security/cve/CVE-2024-28757"},{"url":"https://bugzilla.redhat.com/2262877"},{"url":"https://bugzilla.redhat.com/2268766"},{"url":"https://errata.almalinux.org/9/ALSA-2024-1530.html"},{"url":"https://github.com/libexpat/libexpat/issues/839"},{"url":"https://github.com/libexpat/libexpat/pull/842"},{"url":"https://linux.oracle.com/cve/CVE-2024-28757.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-1530.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28757"},{"url":"https://security.netapp.com/advisory/ntap-20240322-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6694-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-28757"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).","solution":"Upgrade libexpat to 2.6.2-r0"},{"id":"b29acc04ddb3fa9140e9f7de32b657138eeaab05","severity":"High","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-45490","value":"CVE-2024-45490","url":"http://seclists.org/fulldisclosure/2024/Dec/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Dec/10"},{"url":"http://seclists.org/fulldisclosure/2024/Dec/12"},{"url":"http://seclists.org/fulldisclosure/2024/Dec/6"},{"url":"http://seclists.org/fulldisclosure/2024/Dec/7"},{"url":"http://seclists.org/fulldisclosure/2024/Dec/8"},{"url":"https://access.redhat.com/errata/RHSA-2024:6989"},{"url":"https://access.redhat.com/security/cve/CVE-2024-45490"},{"url":"https://bugzilla.redhat.com/2308615"},{"url":"https://bugzilla.redhat.com/2308616"},{"url":"https://bugzilla.redhat.com/2308617"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308615"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308616"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308617"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45492"},{"url":"https://errata.almalinux.org/8/ALSA-2024-6989.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:6754"},{"url":"https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes"},{"url":"https://github.com/libexpat/libexpat/issues/887"},{"url":"https://github.com/libexpat/libexpat/pull/890"},{"url":"https://linux.oracle.com/cve/CVE-2024-45490.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-6989.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45490"},{"url":"https://security.netapp.com/advisory/ntap-20241018-0004/"},{"url":"https://ubuntu.com/security/notices/USN-7000-1"},{"url":"https://ubuntu.com/security/notices/USN-7000-2"},{"url":"https://ubuntu.com/security/notices/USN-7001-1"},{"url":"https://ubuntu.com/security/notices/USN-7001-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-45490"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.","solution":"Upgrade libexpat to 2.6.3-r0"},{"id":"a84df2bc4d3a5626641a26bba0c05d320fa47ae6","severity":"High","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-8176","value":"CVE-2024-8176","url":"http://seclists.org/fulldisclosure/2025/May/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2025/May/10"},{"url":"http://seclists.org/fulldisclosure/2025/May/11"},{"url":"http://seclists.org/fulldisclosure/2025/May/12"},{"url":"http://seclists.org/fulldisclosure/2025/May/6"},{"url":"http://seclists.org/fulldisclosure/2025/May/7"},{"url":"http://seclists.org/fulldisclosure/2025/May/8"},{"url":"http://www.openwall.com/lists/oss-security/2025/03/15/1"},{"url":"http://www.openwall.com/lists/oss-security/2025/09/24/11"},{"url":"https://access.redhat.com/errata/RHSA-2025:13681"},{"url":"https://access.redhat.com/errata/RHSA-2025:22033"},{"url":"https://access.redhat.com/errata/RHSA-2025:22034"},{"url":"https://access.redhat.com/errata/RHSA-2025:22035"},{"url":"https://access.redhat.com/errata/RHSA-2025:22607"},{"url":"https://access.redhat.com/errata/RHSA-2025:22785"},{"url":"https://access.redhat.com/errata/RHSA-2025:22842"},{"url":"https://access.redhat.com/errata/RHSA-2025:22871"},{"url":"https://access.redhat.com/errata/RHSA-2025:3531"},{"url":"https://access.redhat.com/errata/RHSA-2025:3734"},{"url":"https://access.redhat.com/errata/RHSA-2025:3913"},{"url":"https://access.redhat.com/errata/RHSA-2025:4048"},{"url":"https://access.redhat.com/errata/RHSA-2025:4446"},{"url":"https://access.redhat.com/errata/RHSA-2025:4447"},{"url":"https://access.redhat.com/errata/RHSA-2025:4448"},{"url":"https://access.redhat.com/errata/RHSA-2025:4449"},{"url":"https://access.redhat.com/errata/RHSA-2025:7444"},{"url":"https://access.redhat.com/errata/RHSA-2025:7512"},{"url":"https://access.redhat.com/errata/RHSA-2025:8385"},{"url":"https://access.redhat.com/security/cve/CVE-2024-8176"},{"url":"https://blog.hartwork.org/posts/expat-2-7-0-released/"},{"url":"https://bugzilla.redhat.com/2310137"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2310137"},{"url":"https://bugzilla.suse.com/show_bug.cgi?id=1239618"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8176"},{"url":"https://errata.almalinux.org/8/ALSA-2025-3913.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:7444"},{"url":"https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52"},{"url":"https://github.com/libexpat/libexpat/issues/893"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53"},{"url":"https://linux.oracle.com/cve/CVE-2024-8176.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-7512.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8176"},{"url":"https://security-tracker.debian.org/tracker/CVE-2024-8176"},{"url":"https://security.netapp.com/advisory/ntap-20250328-0009/"},{"url":"https://ubuntu.com/security/CVE-2024-8176"},{"url":"https://ubuntu.com/security/notices/USN-7424-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-8176"},{"url":"https://www.kb.cert.org/vuls/id/760160"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.","solution":"Upgrade libexpat to 2.7.0-r0"},{"id":"71c59ade93a8a165b5dff7df9794c9c7640ddec2","severity":"Medium","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-52426","value":"CVE-2023-52426","url":"https://access.redhat.com/security/cve/CVE-2023-52426"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-52426"},{"url":"https://cwe.mitre.org/data/definitions/776.html"},{"url":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404"},{"url":"https://github.com/libexpat/libexpat/pull/777"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52426"},{"url":"https://security.netapp.com/advisory/ntap-20240307-0005/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-52426"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.","solution":"Upgrade libexpat to 2.6.0-r0"},{"id":"48c40bca7b9605aedabfc8e7a5fbf89287a2872d","severity":"Medium","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-50602","value":"CVE-2024-50602","url":"https://access.redhat.com/errata/RHSA-2024:9502"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:9502"},{"url":"https://access.redhat.com/security/cve/CVE-2024-50602"},{"url":"https://bugzilla.redhat.com/2321987"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2321987"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50602"},{"url":"https://errata.almalinux.org/8/ALSA-2024-9502.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9502"},{"url":"https://github.com/libexpat/libexpat/pull/915"},{"url":"https://linux.oracle.com/cve/CVE-2024-50602.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9541.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00040.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50602"},{"url":"https://security.netapp.com/advisory/ntap-20250404-0008/"},{"url":"https://ubuntu.com/security/notices/USN-7145-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-50602"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.","solution":"Upgrade libexpat to 2.6.4-r0"},{"id":"8263158188daa5ac5025396c0008c2a6cb1332d3","severity":"High","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6119","value":"CVE-2024-6119","url":"http://www.openwall.com/lists/oss-security/2024/09/03/4"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/09/03/4"},{"url":"https://access.redhat.com/errata/RHSA-2024:8935"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6119"},{"url":"https://bugzilla.redhat.com/2306158"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2306158"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6119"},{"url":"https://errata.almalinux.org/9/ALSA-2024-8935.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:6783"},{"url":"https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f"},{"url":"https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6"},{"url":"https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2"},{"url":"https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0"},{"url":"https://github.com/openssl/openssl/security/advisories/GHSA-5qrj-vq78-58fj"},{"url":"https://linux.oracle.com/cve/CVE-2024-6119.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-8935.html"},{"url":"https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6119"},{"url":"https://openssl-library.org/news/secadv/20240903.txt"},{"url":"https://security.netapp.com/advisory/ntap-20240912-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6986-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6119"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libssl3 to 3.1.7-r0"},{"id":"e3d32a69d24bc566212c72f2e5065ec6276eb61e","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-6129","value":"CVE-2023-6129","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2023-6129"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35"},{"url":"https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04"},{"url":"https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015"},{"url":"https://linux.oracle.com/cve/CVE-2023-6129.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6129"},{"url":"https://security.netapp.com/advisory/ntap-20240216-0009/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0008/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0013/"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0011/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-6129"},{"url":"https://www.openssl.org/news/secadv/20240109.txt"},{"url":"https://www.openwall.com/lists/oss-security/2024/01/09/1"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.","solution":"Upgrade libssl3 to 3.1.4-r3"},{"id":"b41cde3cde10787baf00eed82f813e9b8521044a","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-6237","value":"CVE-2023-6237","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2023-6237"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d"},{"url":"https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a"},{"url":"https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294"},{"url":"https://linux.oracle.com/cve/CVE-2023-6237.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6237"},{"url":"https://security.netapp.com/advisory/ntap-20240531-0007/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-6237"},{"url":"https://www.openssl.org/news/secadv/20240115.txt"},{"url":"https://www.openwall.com/lists/oss-security/2024/01/15/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","solution":"Upgrade libssl3 to 3.1.4-r4"},{"id":"58561a05c3c729fa896225946cf32bccd0341056","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-0727","value":"CVE-2024-0727","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2024-0727"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2"},{"url":"https://github.com/github/advisory-database/pull/3472"},{"url":"https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2"},{"url":"https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a"},{"url":"https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c"},{"url":"https://github.com/openssl/openssl/pull/23362"},{"url":"https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539"},{"url":"https://linux.oracle.com/cve/CVE-2024-0727.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0727"},{"url":"https://security.netapp.com/advisory/ntap-20240208-0006"},{"url":"https://security.netapp.com/advisory/ntap-20240208-0006/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://ubuntu.com/security/notices/USN-6632-1"},{"url":"https://ubuntu.com/security/notices/USN-6709-1"},{"url":"https://ubuntu.com/security/notices/USN-7018-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-0727"},{"url":"https://www.openssl.org/news/secadv/20240125.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libssl3 to 3.1.4-r5"},{"id":"b9205a9365092106bdedd71f7818cbb184458f45","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-13176","value":"CVE-2024-13176","url":"http://www.openwall.com/lists/oss-security/2025/01/20/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/01/20/2"},{"url":"https://access.redhat.com/errata/RHSA-2025:15699"},{"url":"https://access.redhat.com/security/cve/CVE-2024-13176"},{"url":"https://bugzilla.redhat.com/2359885"},{"url":"https://bugzilla.redhat.com/2359888"},{"url":"https://bugzilla.redhat.com/2359892"},{"url":"https://bugzilla.redhat.com/2359894"},{"url":"https://bugzilla.redhat.com/2359895"},{"url":"https://bugzilla.redhat.com/2359899"},{"url":"https://bugzilla.redhat.com/2359900"},{"url":"https://bugzilla.redhat.com/2359902"},{"url":"https://bugzilla.redhat.com/2359903"},{"url":"https://bugzilla.redhat.com/2359911"},{"url":"https://bugzilla.redhat.com/2359918"},{"url":"https://bugzilla.redhat.com/2359920"},{"url":"https://bugzilla.redhat.com/2359924"},{"url":"https://bugzilla.redhat.com/2359928"},{"url":"https://bugzilla.redhat.com/2359930"},{"url":"https://bugzilla.redhat.com/2359932"},{"url":"https://bugzilla.redhat.com/2359934"},{"url":"https://bugzilla.redhat.com/2359938"},{"url":"https://bugzilla.redhat.com/2359940"},{"url":"https://bugzilla.redhat.com/2359943"},{"url":"https://bugzilla.redhat.com/2359944"},{"url":"https://bugzilla.redhat.com/2359945"},{"url":"https://bugzilla.redhat.com/2359947"},{"url":"https://bugzilla.redhat.com/2359950"},{"url":"https://bugzilla.redhat.com/2359963"},{"url":"https://bugzilla.redhat.com/2359964"},{"url":"https://bugzilla.redhat.com/2359972"},{"url":"https://bugzilla.redhat.com/2370920"},{"url":"https://bugzilla.redhat.com/2380264"},{"url":"https://bugzilla.redhat.com/2380273"},{"url":"https://bugzilla.redhat.com/2380274"},{"url":"https://bugzilla.redhat.com/2380278"},{"url":"https://bugzilla.redhat.com/2380280"},{"url":"https://bugzilla.redhat.com/2380283"},{"url":"https://bugzilla.redhat.com/2380284"},{"url":"https://bugzilla.redhat.com/2380290"},{"url":"https://bugzilla.redhat.com/2380291"},{"url":"https://bugzilla.redhat.com/2380295"},{"url":"https://bugzilla.redhat.com/2380298"},{"url":"https://bugzilla.redhat.com/2380306"},{"url":"https://bugzilla.redhat.com/2380308"},{"url":"https://bugzilla.redhat.com/2380309"},{"url":"https://bugzilla.redhat.com/2380310"},{"url":"https://bugzilla.redhat.com/2380312"},{"url":"https://bugzilla.redhat.com/2380313"},{"url":"https://bugzilla.redhat.com/2380320"},{"url":"https://bugzilla.redhat.com/2380321"},{"url":"https://bugzilla.redhat.com/2380322"},{"url":"https://bugzilla.redhat.com/2380326"},{"url":"https://bugzilla.redhat.com/2380327"},{"url":"https://bugzilla.redhat.com/2380334"},{"url":"https://bugzilla.redhat.com/2380335"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2338999"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359892"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359894"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359895"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359899"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359902"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359903"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359911"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359918"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359920"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359924"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359928"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359930"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359932"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359934"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359938"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359940"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359943"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359945"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359947"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359950"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359963"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359964"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359972"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2370920"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380264"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380273"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380274"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380278"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380280"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380283"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380290"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380298"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380306"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380308"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380309"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380310"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380312"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380313"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380320"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380321"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380322"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380326"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380327"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380334"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380335"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21574"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21575"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21577"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21579"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21580"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21584"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21585"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21588"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30681"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30682"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30683"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30684"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30685"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30687"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30688"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30689"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30693"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30695"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30696"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30699"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30703"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30704"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30705"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30715"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30721"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30722"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50077"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50078"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50079"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50080"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50081"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50082"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50083"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50084"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50085"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50086"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50087"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50088"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50091"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50092"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50093"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50094"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50096"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50097"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50098"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50099"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50100"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50101"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50102"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50104"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5399"},{"url":"https://errata.almalinux.org/10/ALSA-2025-15699.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:15699"},{"url":"https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844"},{"url":"https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467"},{"url":"https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902"},{"url":"https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65"},{"url":"https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86"},{"url":"https://linux.oracle.com/cve/CVE-2024-13176.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-16046.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-13176"},{"url":"https://openssl-library.org/news/secadv/20250120.txt"},{"url":"https://security.netapp.com/advisory/ntap-20250124-0005/"},{"url":"https://security.netapp.com/advisory/ntap-20250418-0010/"},{"url":"https://security.netapp.com/advisory/ntap-20250502-0006/"},{"url":"https://ubuntu.com/security/notices/USN-7264-1"},{"url":"https://ubuntu.com/security/notices/USN-7278-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-13176"},{"url":"https://www.oracle.com/security-alerts/cpuapr2025.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: A timing side-channel which could potentially allow recovering\nthe private key exists in the ECDSA signature computation.\n\nImpact summary: A timing side-channel in ECDSA signature computations\ncould allow recovering the private key by an attacker. However, measuring\nthe timing would require either local access to the signing application or\na very fast network connection with low latency.\n\nThere is a timing signal of around 300 nanoseconds when the top word of\nthe inverted ECDSA nonce value is zero. This can happen with significant\nprobability only for some of the supported elliptic curves. In particular\nthe NIST P-521 curve is affected. To be able to measure this leak, the attacker\nprocess must either be located in the same physical computer or must\nhave a very fast network connection with low latency. For that reason\nthe severity of this vulnerability is Low.\n\nThe FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.","solution":"Upgrade libssl3 to 3.1.8-r0"},{"id":"ba3fd6a6651cadb0dbb7e3338f8f4c65180dc2ec","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-4603","value":"CVE-2024-4603","url":"http://www.openwall.com/lists/oss-security/2024/05/16/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/05/16/2"},{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-4603"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397"},{"url":"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e"},{"url":"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d"},{"url":"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740"},{"url":"https://linux.oracle.com/cve/CVE-2024-4603.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4603"},{"url":"https://security.netapp.com/advisory/ntap-20240621-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-4603"},{"url":"https://www.openssl.org/news/secadv/20240516.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","solution":"Upgrade libssl3 to 3.1.5-r0"},{"id":"7cc6cd05d4b68cc1829ecc1ea2d619bedab4aa31","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-4741","value":"CVE-2024-4741","url":"https://access.redhat.com/errata/RHSA-2024:9333"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-4741"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177"},{"url":"https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d"},{"url":"https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac"},{"url":"https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4"},{"url":"https://linux.oracle.com/cve/CVE-2024-4741.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4741"},{"url":"https://security.netapp.com/advisory/ntap-20240621-0004/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-4741"},{"url":"https://www.openssl.org/news/secadv/20240528.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libssl3 to 3.1.6-r0"},{"id":"349594971b28b334fff3d8acee6adf51a453e806","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-5535","value":"CVE-2024-5535","url":"http://www.openwall.com/lists/oss-security/2024/06/27/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/06/27/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/06/28/4"},{"url":"http://www.openwall.com/lists/oss-security/2024/08/15/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-5535"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37"},{"url":"https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e"},{"url":"https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c"},{"url":"https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87"},{"url":"https://linux.oracle.com/cve/CVE-2024-5535.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5535"},{"url":"https://openssl.org/news/secadv/20240627.txt"},{"url":"https://security.netapp.com/advisory/ntap-20240712-0005/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0006/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0010/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-5535"},{"url":"https://www.openssl.org/news/secadv/20240627.txt"},{"url":"https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.","solution":"Upgrade libssl3 to 3.1.6-r0"},{"id":"c861dc053fa75d03867bcdfc53e46943a2940569","severity":"Low","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2511","value":"CVE-2024-2511","url":"http://www.openwall.com/lists/oss-security/2024/04/08/5"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/04/08/5"},{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2511"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce"},{"url":"https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d"},{"url":"https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640"},{"url":"https://linux.oracle.com/cve/CVE-2024-2511.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2511"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0013/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2511"},{"url":"https://www.openssl.org/news/secadv/20240408.txt"},{"url":"https://www.openssl.org/news/vulnerabilities.html"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.","solution":"Upgrade libssl3 to 3.1.4-r6"},{"id":"531f52883a9bb62464a8cce8114f9ca4439d360b","severity":"Low","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-9143","value":"CVE-2024-9143","url":"http://www.openwall.com/lists/oss-security/2024/10/16/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/10/16/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/10/23/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/10/24/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-9143"},{"url":"https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712"},{"url":"https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700"},{"url":"https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4"},{"url":"https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9143"},{"url":"https://openssl-library.org/news/secadv/20241016.txt"},{"url":"https://security.netapp.com/advisory/ntap-20241101-0001/"},{"url":"https://ubuntu.com/security/notices/USN-7264-1"},{"url":"https://ubuntu.com/security/notices/USN-7278-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-9143"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates. Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds. Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libssl3 to 3.1.7-r1"},{"id":"ad8dc4381842ae08ce32d12dce36183928665cbc","severity":"Critical","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-56171","value":"CVE-2024-56171","url":"http://seclists.org/fulldisclosure/2025/Apr/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2025/Apr/10"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/11"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/12"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/13"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/4"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/5"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/8"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/9"},{"url":"https://access.redhat.com/errata/RHSA-2025:2686"},{"url":"https://access.redhat.com/security/cve/CVE-2024-56171"},{"url":"https://bugzilla.redhat.com/2346416"},{"url":"https://bugzilla.redhat.com/2346421"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2346416"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2346421"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56171"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24928"},{"url":"https://errata.almalinux.org/8/ALSA-2025-2686.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:2679"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/828"},{"url":"https://linux.oracle.com/cve/CVE-2024-56171.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-2686.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56171"},{"url":"https://security.netapp.com/advisory/ntap-20250328-0010/"},{"url":"https://ubuntu.com/security/notices/USN-7302-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-56171"},{"url":"https://www.openwall.com/lists/oss-security/2025/02/18/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.","solution":"Upgrade libxml2 to 2.11.8-r1"},{"id":"097e8eca005b7e3f3308cc9932bf67d642855aa7","severity":"High","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-25062","value":"CVE-2024-25062","url":"https://access.redhat.com/errata/RHSA-2024:3626"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:3626"},{"url":"https://access.redhat.com/security/cve/CVE-2024-25062"},{"url":"https://bugzilla.redhat.com/2262726"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2262726"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062"},{"url":"https://errata.almalinux.org/8/ALSA-2024-3626.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:2679"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/604"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/tags"},{"url":"https://linux.oracle.com/cve/CVE-2024-25062.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-3626.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25062"},{"url":"https://security.netapp.com/advisory/ntap-20241018-0009/"},{"url":"https://ubuntu.com/security/notices/USN-6658-1"},{"url":"https://ubuntu.com/security/notices/USN-6658-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-25062"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.","solution":"Upgrade libxml2 to 2.11.7-r0"},{"id":"8441e6a31d1e7141547a729517951b7285daaa8a","severity":"High","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-24928","value":"CVE-2025-24928","url":"https://access.redhat.com/errata/RHSA-2025:2686"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2025:2686"},{"url":"https://access.redhat.com/security/cve/CVE-2025-24928"},{"url":"https://bugzilla.redhat.com/2346416"},{"url":"https://bugzilla.redhat.com/2346421"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2346416"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2346421"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56171"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24928"},{"url":"https://errata.almalinux.org/8/ALSA-2025-2686.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:2679"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/847"},{"url":"https://issues.oss-fuzz.com/issues/392687022"},{"url":"https://linux.oracle.com/cve/CVE-2025-24928.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-2686.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24928"},{"url":"https://security.netapp.com/advisory/ntap-20250321-0006/"},{"url":"https://ubuntu.com/security/notices/USN-7302-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-24928"},{"url":"https://www.openwall.com/lists/oss-security/2025/02/18/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.","solution":"Upgrade libxml2 to 2.11.8-r1"},{"id":"3efb7741eb52535278b59f69a95e543bd9351820","severity":"High","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-27113","value":"CVE-2025-27113","url":"http://seclists.org/fulldisclosure/2025/Apr/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2025/Apr/10"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/11"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/12"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/13"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/4"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/5"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/8"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/9"},{"url":"https://access.redhat.com/security/cve/CVE-2025-27113"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/861"},{"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27113"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0004/"},{"url":"https://ubuntu.com/security/notices/USN-7302-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-27113"},{"url":"https://www.openwall.com/lists/oss-security/2025/02/18/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.","solution":"Upgrade libxml2 to 2.11.8-r2"},{"id":"1e8ae327fec659ca7d569af494e5b02247c4b182","severity":"High","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-32414","value":"CVE-2025-32414","url":"https://access.redhat.com/errata/RHSA-2025:8958"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2025:8958"},{"url":"https://access.redhat.com/security/cve/CVE-2025-32414"},{"url":"https://bugzilla.redhat.com/2358121"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2358121"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2360768"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32414"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32415"},{"url":"https://errata.almalinux.org/8/ALSA-2025-8958.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:13428"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/889"},{"url":"https://linux.oracle.com/cve/CVE-2025-32414.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-8958.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00041.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32414"},{"url":"https://ubuntu.com/security/notices/USN-7467-1"},{"url":"https://ubuntu.com/security/notices/USN-7467-2"},{"url":"https://ubuntu.com/security/notices/USN-7896-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-32414"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.","solution":"Upgrade libxml2 to 2.11.8-r3"},{"id":"4b3309897c2a656cd66efae9ae8a2edc7f4661fd","severity":"High","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-32415","value":"CVE-2025-32415","url":"https://access.redhat.com/errata/RHSA-2025:13203"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2025:13203"},{"url":"https://access.redhat.com/security/cve/CVE-2025-32415"},{"url":"https://bugzilla.redhat.com/2360768"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2358121"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2360768"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32414"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32415"},{"url":"https://errata.almalinux.org/8/ALSA-2025-13203.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:13428"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/890"},{"url":"https://linux.oracle.com/cve/CVE-2025-32415.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-13789.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00041.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32415"},{"url":"https://ubuntu.com/security/notices/USN-7467-1"},{"url":"https://ubuntu.com/security/notices/USN-7467-2"},{"url":"https://ubuntu.com/security/notices/USN-7896-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-32415"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.","solution":"Upgrade libxml2 to 2.11.8-r3"},{"id":"c97983d1ad892b3da91e8d29e84d6d2a651daa88","severity":"Medium","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-34459","value":"CVE-2024-34459","url":"https://access.redhat.com/security/cve/CVE-2024-34459"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2024-34459"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/720"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7"},{"url":"https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34459"},{"url":"https://ubuntu.com/security/notices/USN-7240-1"},{"url":"https://ubuntu.com/security/notices/USN-7302-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-34459"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.","solution":"Upgrade libxml2 to 2.11.8-r0"},{"id":"75e32d5a02b8b54eb4771a17b64e75994596b29b","severity":"High","location":{"dependency":{"package":{"name":"libxslt"},"version":"1.1.38-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-55549","value":"CVE-2024-55549","url":"https://access.redhat.com/errata/RHSA-2025:3615"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2025:3615"},{"url":"https://access.redhat.com/security/cve/CVE-2024-55549"},{"url":"https://bugzilla.redhat.com/2352483"},{"url":"https://bugzilla.redhat.com/2352484"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2352484"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55549"},{"url":"https://errata.almalinux.org/8/ALSA-2025-3615.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:7410"},{"url":"https://gitlab.gnome.org/GNOME/libxslt/-/issues/127"},{"url":"https://linux.oracle.com/cve/CVE-2024-55549.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-7496.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55549"},{"url":"https://ubuntu.com/security/notices/USN-7357-1"},{"url":"https://ubuntu.com/security/notices/USN-7787-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-55549"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxslt:1.1.38-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.","solution":"Upgrade libxslt to 1.1.38-r1"},{"id":"6ed162a582d08000abb5a5c38cbf7a2ae6724542","severity":"High","location":{"dependency":{"package":{"name":"libxslt"},"version":"1.1.38-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-24855","value":"CVE-2025-24855","url":"https://access.redhat.com/errata/RHSA-2025:3615"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2025:3615"},{"url":"https://access.redhat.com/security/cve/CVE-2025-24855"},{"url":"https://bugzilla.redhat.com/2352483"},{"url":"https://bugzilla.redhat.com/2352484"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2352483"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2352484"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55549"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24855"},{"url":"https://errata.almalinux.org/8/ALSA-2025-3615.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:3615"},{"url":"https://gitlab.gnome.org/GNOME/libxslt/-/issues/128"},{"url":"https://linux.oracle.com/cve/CVE-2025-24855.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-7496.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24855"},{"url":"https://ubuntu.com/security/notices/USN-7361-1"},{"url":"https://ubuntu.com/security/notices/USN-7787-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-24855"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxslt:1.1.38-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.","solution":"Upgrade libxslt to 1.1.38-r1"},{"id":"d122629b826586851283dde07be024fb6d1cd544","severity":"High","location":{"dependency":{"package":{"name":"musl"},"version":"1.2.4-r2"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-26519","value":"CVE-2025-26519","url":"http://www.openwall.com/lists/oss-security/2025/02/13/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/3"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/4"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/5"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/14/5"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/14/6"},{"url":"https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da"},{"url":"https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659"},{"url":"https://www.openwall.com/lists/oss-security/2025/02/13/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"musl:1.2.4-r2"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.","solution":"Upgrade musl to 1.2.4-r3"},{"id":"88b142599b8f72b2ec9b495a2d8d94ca32df56f4","severity":"High","location":{"dependency":{"package":{"name":"musl-utils"},"version":"1.2.4-r2"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-26519","value":"CVE-2025-26519","url":"http://www.openwall.com/lists/oss-security/2025/02/13/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/3"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/4"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/5"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/14/5"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/14/6"},{"url":"https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da"},{"url":"https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659"},{"url":"https://www.openwall.com/lists/oss-security/2025/02/13/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"musl-utils:1.2.4-r2"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.","solution":"Upgrade musl-utils to 1.2.4-r3"},{"id":"d87040b917ae1e7536497b3f788cbcd850998afd","severity":"Medium","location":{"dependency":{"package":{"name":"ssl_client"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42363","value":"CVE-2023-42363","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42363"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15865"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42363"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42363"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"ssl_client:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.","solution":"Upgrade ssl_client to 1.36.1-r7"},{"id":"0a46f1272e2d7986565a9cdad04d0e13e4dec051","severity":"Medium","location":{"dependency":{"package":{"name":"ssl_client"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42364","value":"CVE-2023-42364","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42364"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15868"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42364"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42364"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"ssl_client:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.","solution":"Upgrade ssl_client to 1.36.1-r7"},{"id":"44bbe3133716961c775304b74d66708f6b5153e2","severity":"Medium","location":{"dependency":{"package":{"name":"ssl_client"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42365","value":"CVE-2023-42365","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42365"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15871"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42365"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42365"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"ssl_client:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.","solution":"Upgrade ssl_client to 1.36.1-r7"},{"id":"57c39f0fda444cf66164f163dcc1b99767bc8c3b","severity":"Medium","location":{"dependency":{"package":{"name":"ssl_client"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42366","value":"CVE-2023-42366","url":"https://access.redhat.com/security/cve/CVE-2023-42366"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-42366"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15874"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42366"},{"url":"https://security.netapp.com/advisory/ntap-20241206-0007/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42366"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"ssl_client:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.","solution":"Upgrade ssl_client to 1.36.1-r6"},{"id":"36c9f900412f40dfd513f0e24cedb7e4a03d30f6","severity":"High","location":{"dependency":{"package":{"name":"xz-libs"},"version":"5.4.3-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.77-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-31115","value":"CVE-2025-31115","url":"http://www.openwall.com/lists/oss-security/2025/04/03/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/04/03/1"},{"url":"http://www.openwall.com/lists/oss-security/2025/04/03/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/04/03/3"},{"url":"https://access.redhat.com/security/cve/CVE-2025-31115"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2357249"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31115"},{"url":"https://errata.rockylinux.org/RLSA-2025:7524"},{"url":"https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480"},{"url":"https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2"},{"url":"https://linux.oracle.com/cve/CVE-2025-31115.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-7524.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-31115"},{"url":"https://tukaani.org/xz/xz-cve-2025-31115.patch"},{"url":"https://ubuntu.com/security/notices/USN-7414-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-31115"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"xz-libs:5.4.3-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.","solution":"Upgrade xz-libs to 5.4.3-r1"}],"remediations":[],"scan":{"scanner":{"id":"trivy","name":"Trivy","url":"https://github.com/aquasecurity/trivy/","vendor":{"name":"GitLab"},"version":"0.53.0"},"analyzer":{"id":"gcs","name":"GitLab Container Scanning","vendor":{"name":"GitLab"},"version":"6.7.9"},"type":"container_scanning","start_time":"2026-02-06T08:13:03","end_time":"2026-02-06T08:13:09","status":"success"},"version":"15.0.6"}
1
+ {"vulnerabilities":[{"id":"6a57823f1693dc184051ea7af9a104c823ccaa0e","severity":"Medium","location":{"dependency":{"package":{"name":"busybox"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42363","value":"CVE-2023-42363","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42363"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15865"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42363"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42363"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.","solution":"Upgrade busybox to 1.36.1-r7"},{"id":"b89189f3cbcb23cafe4896fd01645ed9048c494c","severity":"Medium","location":{"dependency":{"package":{"name":"busybox"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42364","value":"CVE-2023-42364","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42364"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15868"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42364"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42364"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.","solution":"Upgrade busybox to 1.36.1-r7"},{"id":"1df67681145635bc7436a2f7515d550d40086361","severity":"Medium","location":{"dependency":{"package":{"name":"busybox"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42365","value":"CVE-2023-42365","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42365"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15871"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42365"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42365"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.","solution":"Upgrade busybox to 1.36.1-r7"},{"id":"09f7b9e19ba53fc36c07a20fee34343cdbb6a3a5","severity":"Medium","location":{"dependency":{"package":{"name":"busybox"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42366","value":"CVE-2023-42366","url":"https://access.redhat.com/security/cve/CVE-2023-42366"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-42366"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15874"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42366"},{"url":"https://security.netapp.com/advisory/ntap-20241206-0007/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42366"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.","solution":"Upgrade busybox to 1.36.1-r6"},{"id":"2dcb9ef3bc8c6a92097f29b0aba023a6b47f76d2","severity":"Medium","location":{"dependency":{"package":{"name":"busybox-binsh"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42363","value":"CVE-2023-42363","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42363"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15865"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42363"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42363"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox-binsh:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.","solution":"Upgrade busybox-binsh to 1.36.1-r7"},{"id":"a6afd1fb4dfd73fc0f162ef47abfd6e080c9565f","severity":"Medium","location":{"dependency":{"package":{"name":"busybox-binsh"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42364","value":"CVE-2023-42364","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42364"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15868"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42364"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42364"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox-binsh:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.","solution":"Upgrade busybox-binsh to 1.36.1-r7"},{"id":"d7638240aeedf3b96ce2538d874d51b6f34e7088","severity":"Medium","location":{"dependency":{"package":{"name":"busybox-binsh"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42365","value":"CVE-2023-42365","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42365"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15871"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42365"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42365"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox-binsh:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.","solution":"Upgrade busybox-binsh to 1.36.1-r7"},{"id":"48352eb403c71f3454c498a1038af1e00285c429","severity":"Medium","location":{"dependency":{"package":{"name":"busybox-binsh"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42366","value":"CVE-2023-42366","url":"https://access.redhat.com/security/cve/CVE-2023-42366"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-42366"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15874"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42366"},{"url":"https://security.netapp.com/advisory/ntap-20241206-0007/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42366"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"busybox-binsh:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.","solution":"Upgrade busybox-binsh to 1.36.1-r6"},{"id":"5373efb659020f1b61c211393b7b969ca8d78a05","severity":"High","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2398","value":"CVE-2024-2398","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/3"},{"url":"https://access.redhat.com/errata/RHSA-2024:5654"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2398"},{"url":"https://bugzilla.redhat.com/2270498"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270498"},{"url":"https://curl.se/docs/CVE-2024-2398.html"},{"url":"https://curl.se/docs/CVE-2024-2398.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2398"},{"url":"https://errata.almalinux.org/8/ALSA-2024-5654.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:5654"},{"url":"https://hackerone.com/reports/2402845"},{"url":"https://linux.oracle.com/cve/CVE-2024-2398.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-5654.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2398"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0009/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://ubuntu.com/security/notices/USN-6718-1"},{"url":"https://ubuntu.com/security/notices/USN-6718-2"},{"url":"https://ubuntu.com/security/notices/USN-6718-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2398"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.","solution":"Upgrade curl to 8.7.1-r0"},{"id":"8cda4aff3a7122777b9acf664e6286676b2a049a","severity":"High","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6197","value":"CVE-2024-6197","url":"http://www.openwall.com/lists/oss-security/2024/07/24/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/5"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6197"},{"url":"https://curl.se/docs/CVE-2024-6197.html"},{"url":"https://curl.se/docs/CVE-2024-6197.json"},{"url":"https://hackerone.com/reports/2559516"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6197"},{"url":"https://security.netapp.com/advisory/ntap-20241129-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6197"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.","solution":"Upgrade curl to 8.9.0-r0"},{"id":"740d6a77b34ef0f5f6fb6fa7e397c036a06bb3a3","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-0853","value":"CVE-2024-0853","url":"https://access.redhat.com/security/cve/CVE-2024-0853"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2024-0853"},{"url":"https://curl.se/docs/CVE-2024-0853.html"},{"url":"https://curl.se/docs/CVE-2024-0853.json"},{"url":"https://hackerone.com/reports/2298922"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0853"},{"url":"https://security.netapp.com/advisory/ntap-20240307-0004/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0009/"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0012/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-0853"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.","solution":"Upgrade curl to 8.6.0-r0"},{"id":"e2e54b69935eca5e11d9dffa27f836e61e3eb101","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-11053","value":"CVE-2024-11053","url":"http://www.openwall.com/lists/oss-security/2024/12/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/12/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-11053"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294676"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2301888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318857"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318858"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318870"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318873"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318874"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318876"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318882"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318883"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318884"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318886"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318897"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318905"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318914"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318922"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318923"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318925"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318926"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318927"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331191"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339218"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339220"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339221"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339226"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339231"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339236"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339238"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339247"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339252"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339259"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339266"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339270"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339271"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339275"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339277"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339281"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339293"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339299"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339300"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339304"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339305"},{"url":"https://curl.se/docs/CVE-2024-11053.html"},{"url":"https://curl.se/docs/CVE-2024-11053.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21193"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21194"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21196"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21197"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21198"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21199"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21201"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21203"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21212"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21213"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21218"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21219"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21230"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21231"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21236"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21238"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21239"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21241"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21247"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37371"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21494"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21497"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21500"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21501"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21503"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21504"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21505"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21518"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21519"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21520"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21521"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21523"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21525"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21529"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21531"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21534"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21540"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21543"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21546"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21555"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21559"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:1671"},{"url":"https://hackerone.com/reports/2829063"},{"url":"https://linux.oracle.com/cve/CVE-2024-11053.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11053"},{"url":"https://security.netapp.com/advisory/ntap-20250124-0012/"},{"url":"https://security.netapp.com/advisory/ntap-20250131-0003/"},{"url":"https://security.netapp.com/advisory/ntap-20250131-0004/"},{"url":"https://ubuntu.com/security/notices/USN-7162-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-11053"},{"url":"https://www.oracle.com/security-alerts/cpujan2025.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password.","solution":"Upgrade curl to 8.11.1-r0"},{"id":"27e4337334e9bddcfd0a0c9f96611cca8feabb02","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2004","value":"CVE-2024-2004","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2004"},{"url":"https://curl.se/docs/CVE-2024-2004.html"},{"url":"https://curl.se/docs/CVE-2024-2004.json"},{"url":"https://hackerone.com/reports/2384833"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2004"},{"url":"https://security.netapp.com/advisory/ntap-20240524-0006/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://ubuntu.com/security/notices/USN-6718-1"},{"url":"https://ubuntu.com/security/notices/USN-6718-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2004"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.","solution":"Upgrade curl to 8.7.1-r0"},{"id":"c4a390a26aeadc42f957bae96af198ac9168d09f","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2379","value":"CVE-2024-2379","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2379"},{"url":"https://curl.se/docs/CVE-2024-2379.html"},{"url":"https://curl.se/docs/CVE-2024-2379.json"},{"url":"https://hackerone.com/reports/2410774"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2379"},{"url":"https://security.netapp.com/advisory/ntap-20240531-0001/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2379"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.","solution":"Upgrade curl to 8.7.1-r0"},{"id":"a8269005aa48a8039377cd121af34ddb24559d9b","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2466","value":"CVE-2024-2466","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/4"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2466"},{"url":"https://curl.se/docs/CVE-2024-2466.html"},{"url":"https://curl.se/docs/CVE-2024-2466.json"},{"url":"https://hackerone.com/reports/2416725"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2466"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0010/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2466"},{"url":"https://www.vicarius.io/vsociety/posts/tls-certificate-check-bypass-curl-with-mbedtls-cve-2024-2466-2468"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).","solution":"Upgrade curl to 8.7.1-r0"},{"id":"9af4dcf095edb409aa983acacdc99ede7523ef71","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6874","value":"CVE-2024-6874","url":"http://www.openwall.com/lists/oss-security/2024/07/24/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6874"},{"url":"https://curl.se/docs/CVE-2024-6874.html"},{"url":"https://curl.se/docs/CVE-2024-6874.json"},{"url":"https://hackerone.com/reports/2604391"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6874"},{"url":"https://security.netapp.com/advisory/ntap-20240822-0004/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6874"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string.","solution":"Upgrade curl to 8.9.0-r0"},{"id":"0a9c3ea69054af976d354d7b18f07919221fc63f","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-7264","value":"CVE-2024-7264","url":"http://www.openwall.com/lists/oss-security/2024/07/31/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/31/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-7264"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294676"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2301888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318857"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318858"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318870"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318873"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318874"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318876"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318882"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318883"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318884"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318886"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318897"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318905"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318914"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318922"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318923"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318925"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318926"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318927"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331191"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339218"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339220"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339221"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339226"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339231"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339236"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339238"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339247"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339252"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339259"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339266"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339270"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339271"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339275"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339277"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339281"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339293"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339299"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339300"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339304"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339305"},{"url":"https://curl.se/docs/CVE-2024-7264.html"},{"url":"https://curl.se/docs/CVE-2024-7264.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21193"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21194"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21196"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21197"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21198"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21199"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21201"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21203"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21212"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21213"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21218"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21219"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21230"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21231"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21236"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21238"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21239"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21241"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21247"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37371"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21494"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21497"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21500"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21501"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21503"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21504"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21505"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21518"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21519"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21520"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21521"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21523"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21525"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21529"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21531"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21534"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21540"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21543"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21546"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21555"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21559"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:1671"},{"url":"https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519"},{"url":"https://hackerone.com/reports/2629968"},{"url":"https://linux.oracle.com/cve/CVE-2024-7264.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-7264"},{"url":"https://security.netapp.com/advisory/ntap-20240828-0008/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0006/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0010/"},{"url":"https://ubuntu.com/security/notices/USN-6944-1"},{"url":"https://ubuntu.com/security/notices/USN-6944-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-7264"},{"url":"https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.","solution":"Upgrade curl to 8.9.1-r0"},{"id":"6aa46e14952c62d17507188275f58fa8053f31f5","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-8096","value":"CVE-2024-8096","url":"http://www.openwall.com/lists/oss-security/2024/09/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/09/11/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-8096"},{"url":"https://curl.se/docs/CVE-2024-8096.html"},{"url":"https://curl.se/docs/CVE-2024-8096.json"},{"url":"https://hackerone.com/reports/2669852"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8096"},{"url":"https://security.netapp.com/advisory/ntap-20241011-0005/"},{"url":"https://ubuntu.com/security/notices/USN-7012-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-8096"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.","solution":"Upgrade curl to 8.10.0-r0"},{"id":"8274ebc886a79ee6aa965e52e7306650c9128703","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-9681","value":"CVE-2024-9681","url":"http://seclists.org/fulldisclosure/2025/Apr/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2025/Apr/10"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/11"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/12"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/13"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/4"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/5"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/8"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/9"},{"url":"http://www.openwall.com/lists/oss-security/2024/11/06/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-9681"},{"url":"https://curl.se/docs/CVE-2024-9681.html"},{"url":"https://curl.se/docs/CVE-2024-9681.json"},{"url":"https://hackerone.com/reports/2764830"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9681"},{"url":"https://security.netapp.com/advisory/ntap-20241213-0006/"},{"url":"https://ubuntu.com/security/notices/USN-7104-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-9681"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.","solution":"Upgrade curl to 8.11.0-r0"},{"id":"933513a6d5aef61275d5c3cb909ad4ab5ca5ca99","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0665","value":"CVE-2025-0665","url":"http://www.openwall.com/lists/oss-security/2025/02/05/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/5"},{"url":"https://access.redhat.com/security/cve/CVE-2025-0665"},{"url":"https://curl.se/docs/CVE-2025-0665.html"},{"url":"https://curl.se/docs/CVE-2025-0665.json"},{"url":"https://hackerone.com/reports/2954286"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0665"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0007/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0665"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl would wrongly close the same eventfd file descriptor twice when taking\ndown a connection channel after having completed a threaded name resolve.","solution":"Upgrade curl to 8.12.0-r0"},{"id":"7265ce3f77de0408849eac8f6ac40961939e126c","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0725","value":"CVE-2025-0725","url":"http://www.openwall.com/lists/oss-security/2025/02/05/3"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/3"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/06/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/06/4"},{"url":"https://access.redhat.com/security/cve/CVE-2025-0725"},{"url":"https://curl.se/docs/CVE-2025-0725.html"},{"url":"https://curl.se/docs/CVE-2025-0725.json"},{"url":"https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7"},{"url":"https://hackerone.com/reports/2956023"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0725"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0009/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0725"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When libcurl is asked to perform automatic gzip decompression of\ncontent-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,\n**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would\nmake libcurl perform a buffer overflow.","solution":"Upgrade curl to 8.12.0-r0"},{"id":"395b1d1e08965492c3ae13d6a9051da128570af9","severity":"Low","location":{"dependency":{"package":{"name":"curl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0167","value":"CVE-2025-0167","url":"https://curl.se/docs/CVE-2025-0167.html"}],"links":[{"url":"https://curl.se/docs/CVE-2025-0167.html"},{"url":"https://curl.se/docs/CVE-2025-0167.json"},{"url":"https://hackerone.com/reports/2917232"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0167"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0167"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"curl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When asked to use a `.netrc` file for credentials **and** to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has a `default` entry that\nomits both login and password. A rare circumstance.","solution":"Upgrade curl to 8.12.0-r0"},{"id":"17c1abfed282d3cbe3ee11d799a42a5de03b02b6","severity":"High","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6119","value":"CVE-2024-6119","url":"http://www.openwall.com/lists/oss-security/2024/09/03/4"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/09/03/4"},{"url":"https://access.redhat.com/errata/RHSA-2024:8935"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6119"},{"url":"https://bugzilla.redhat.com/2306158"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2306158"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6119"},{"url":"https://errata.almalinux.org/9/ALSA-2024-8935.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:6783"},{"url":"https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f"},{"url":"https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6"},{"url":"https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2"},{"url":"https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0"},{"url":"https://github.com/openssl/openssl/security/advisories/GHSA-5qrj-vq78-58fj"},{"url":"https://linux.oracle.com/cve/CVE-2024-6119.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-8935.html"},{"url":"https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6119"},{"url":"https://openssl-library.org/news/secadv/20240903.txt"},{"url":"https://security.netapp.com/advisory/ntap-20240912-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6986-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6119"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.7-r0"},{"id":"3f256c9527db90f917fc23fa3e480c04e8337a9d","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-6129","value":"CVE-2023-6129","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2023-6129"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35"},{"url":"https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04"},{"url":"https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015"},{"url":"https://linux.oracle.com/cve/CVE-2023-6129.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6129"},{"url":"https://security.netapp.com/advisory/ntap-20240216-0009/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0008/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0013/"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0011/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-6129"},{"url":"https://www.openssl.org/news/secadv/20240109.txt"},{"url":"https://www.openwall.com/lists/oss-security/2024/01/09/1"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.","solution":"Upgrade libcrypto3 to 3.1.4-r3"},{"id":"0f9d8af026dbf472c4e8f72f25a23a0bbc8a1330","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-6237","value":"CVE-2023-6237","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2023-6237"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d"},{"url":"https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a"},{"url":"https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294"},{"url":"https://linux.oracle.com/cve/CVE-2023-6237.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6237"},{"url":"https://security.netapp.com/advisory/ntap-20240531-0007/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-6237"},{"url":"https://www.openssl.org/news/secadv/20240115.txt"},{"url":"https://www.openwall.com/lists/oss-security/2024/01/15/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.4-r4"},{"id":"25f6944dc25f0ea29335deab1df3266220dfe664","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-0727","value":"CVE-2024-0727","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2024-0727"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2"},{"url":"https://github.com/github/advisory-database/pull/3472"},{"url":"https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2"},{"url":"https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a"},{"url":"https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c"},{"url":"https://github.com/openssl/openssl/pull/23362"},{"url":"https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539"},{"url":"https://linux.oracle.com/cve/CVE-2024-0727.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0727"},{"url":"https://security.netapp.com/advisory/ntap-20240208-0006"},{"url":"https://security.netapp.com/advisory/ntap-20240208-0006/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://ubuntu.com/security/notices/USN-6632-1"},{"url":"https://ubuntu.com/security/notices/USN-6709-1"},{"url":"https://ubuntu.com/security/notices/USN-7018-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-0727"},{"url":"https://www.openssl.org/news/secadv/20240125.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.4-r5"},{"id":"306515dc553232ebc855c0243d13793ff64e75dc","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-13176","value":"CVE-2024-13176","url":"http://www.openwall.com/lists/oss-security/2025/01/20/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/01/20/2"},{"url":"https://access.redhat.com/errata/RHSA-2025:15699"},{"url":"https://access.redhat.com/security/cve/CVE-2024-13176"},{"url":"https://bugzilla.redhat.com/2359885"},{"url":"https://bugzilla.redhat.com/2359888"},{"url":"https://bugzilla.redhat.com/2359892"},{"url":"https://bugzilla.redhat.com/2359894"},{"url":"https://bugzilla.redhat.com/2359895"},{"url":"https://bugzilla.redhat.com/2359899"},{"url":"https://bugzilla.redhat.com/2359900"},{"url":"https://bugzilla.redhat.com/2359902"},{"url":"https://bugzilla.redhat.com/2359903"},{"url":"https://bugzilla.redhat.com/2359911"},{"url":"https://bugzilla.redhat.com/2359918"},{"url":"https://bugzilla.redhat.com/2359920"},{"url":"https://bugzilla.redhat.com/2359924"},{"url":"https://bugzilla.redhat.com/2359928"},{"url":"https://bugzilla.redhat.com/2359930"},{"url":"https://bugzilla.redhat.com/2359932"},{"url":"https://bugzilla.redhat.com/2359934"},{"url":"https://bugzilla.redhat.com/2359938"},{"url":"https://bugzilla.redhat.com/2359940"},{"url":"https://bugzilla.redhat.com/2359943"},{"url":"https://bugzilla.redhat.com/2359944"},{"url":"https://bugzilla.redhat.com/2359945"},{"url":"https://bugzilla.redhat.com/2359947"},{"url":"https://bugzilla.redhat.com/2359950"},{"url":"https://bugzilla.redhat.com/2359963"},{"url":"https://bugzilla.redhat.com/2359964"},{"url":"https://bugzilla.redhat.com/2359972"},{"url":"https://bugzilla.redhat.com/2370920"},{"url":"https://bugzilla.redhat.com/2380264"},{"url":"https://bugzilla.redhat.com/2380273"},{"url":"https://bugzilla.redhat.com/2380274"},{"url":"https://bugzilla.redhat.com/2380278"},{"url":"https://bugzilla.redhat.com/2380280"},{"url":"https://bugzilla.redhat.com/2380283"},{"url":"https://bugzilla.redhat.com/2380284"},{"url":"https://bugzilla.redhat.com/2380290"},{"url":"https://bugzilla.redhat.com/2380291"},{"url":"https://bugzilla.redhat.com/2380295"},{"url":"https://bugzilla.redhat.com/2380298"},{"url":"https://bugzilla.redhat.com/2380306"},{"url":"https://bugzilla.redhat.com/2380308"},{"url":"https://bugzilla.redhat.com/2380309"},{"url":"https://bugzilla.redhat.com/2380310"},{"url":"https://bugzilla.redhat.com/2380312"},{"url":"https://bugzilla.redhat.com/2380313"},{"url":"https://bugzilla.redhat.com/2380320"},{"url":"https://bugzilla.redhat.com/2380321"},{"url":"https://bugzilla.redhat.com/2380322"},{"url":"https://bugzilla.redhat.com/2380326"},{"url":"https://bugzilla.redhat.com/2380327"},{"url":"https://bugzilla.redhat.com/2380334"},{"url":"https://bugzilla.redhat.com/2380335"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2338999"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359892"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359894"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359895"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359899"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359902"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359903"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359911"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359918"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359920"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359924"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359928"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359930"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359932"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359934"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359938"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359940"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359943"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359945"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359947"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359950"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359963"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359964"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359972"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2370920"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380264"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380273"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380274"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380278"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380280"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380283"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380290"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380298"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380306"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380308"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380309"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380310"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380312"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380313"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380320"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380321"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380322"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380326"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380327"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380334"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380335"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21574"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21575"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21577"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21579"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21580"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21584"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21585"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21588"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30681"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30682"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30683"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30684"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30685"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30687"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30688"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30689"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30693"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30695"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30696"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30699"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30703"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30704"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30705"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30715"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30721"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30722"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50077"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50078"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50079"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50080"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50081"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50082"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50083"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50084"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50085"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50086"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50087"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50088"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50091"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50092"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50093"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50094"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50096"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50097"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50098"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50099"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50100"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50101"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50102"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50104"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5399"},{"url":"https://errata.almalinux.org/10/ALSA-2025-15699.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:15699"},{"url":"https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844"},{"url":"https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467"},{"url":"https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902"},{"url":"https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65"},{"url":"https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86"},{"url":"https://linux.oracle.com/cve/CVE-2024-13176.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-16046.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-13176"},{"url":"https://openssl-library.org/news/secadv/20250120.txt"},{"url":"https://security.netapp.com/advisory/ntap-20250124-0005/"},{"url":"https://security.netapp.com/advisory/ntap-20250418-0010/"},{"url":"https://security.netapp.com/advisory/ntap-20250502-0006/"},{"url":"https://ubuntu.com/security/notices/USN-7264-1"},{"url":"https://ubuntu.com/security/notices/USN-7278-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-13176"},{"url":"https://www.oracle.com/security-alerts/cpuapr2025.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: A timing side-channel which could potentially allow recovering\nthe private key exists in the ECDSA signature computation.\n\nImpact summary: A timing side-channel in ECDSA signature computations\ncould allow recovering the private key by an attacker. However, measuring\nthe timing would require either local access to the signing application or\na very fast network connection with low latency.\n\nThere is a timing signal of around 300 nanoseconds when the top word of\nthe inverted ECDSA nonce value is zero. This can happen with significant\nprobability only for some of the supported elliptic curves. In particular\nthe NIST P-521 curve is affected. To be able to measure this leak, the attacker\nprocess must either be located in the same physical computer or must\nhave a very fast network connection with low latency. For that reason\nthe severity of this vulnerability is Low.\n\nThe FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.8-r0"},{"id":"8de4c8dde224d196642e0536691aadea06a584e6","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-4603","value":"CVE-2024-4603","url":"http://www.openwall.com/lists/oss-security/2024/05/16/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/05/16/2"},{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-4603"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397"},{"url":"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e"},{"url":"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d"},{"url":"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740"},{"url":"https://linux.oracle.com/cve/CVE-2024-4603.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4603"},{"url":"https://security.netapp.com/advisory/ntap-20240621-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-4603"},{"url":"https://www.openssl.org/news/secadv/20240516.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.5-r0"},{"id":"a3907a5769c18aaac4ecf8aa4f4e2c68749a2723","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-4741","value":"CVE-2024-4741","url":"https://access.redhat.com/errata/RHSA-2024:9333"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-4741"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177"},{"url":"https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d"},{"url":"https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac"},{"url":"https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4"},{"url":"https://linux.oracle.com/cve/CVE-2024-4741.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4741"},{"url":"https://security.netapp.com/advisory/ntap-20240621-0004/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-4741"},{"url":"https://www.openssl.org/news/secadv/20240528.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.6-r0"},{"id":"22779a04a8ac1f66ed1253930f14f986cdfb8e9f","severity":"Medium","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-5535","value":"CVE-2024-5535","url":"http://www.openwall.com/lists/oss-security/2024/06/27/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/06/27/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/06/28/4"},{"url":"http://www.openwall.com/lists/oss-security/2024/08/15/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-5535"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37"},{"url":"https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e"},{"url":"https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c"},{"url":"https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87"},{"url":"https://linux.oracle.com/cve/CVE-2024-5535.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5535"},{"url":"https://openssl.org/news/secadv/20240627.txt"},{"url":"https://security.netapp.com/advisory/ntap-20240712-0005/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0006/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0010/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-5535"},{"url":"https://www.openssl.org/news/secadv/20240627.txt"},{"url":"https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.","solution":"Upgrade libcrypto3 to 3.1.6-r0"},{"id":"3f7f72ba82861b9d00a3fcda3226ea09cc3307a4","severity":"Low","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2511","value":"CVE-2024-2511","url":"http://www.openwall.com/lists/oss-security/2024/04/08/5"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/04/08/5"},{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2511"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce"},{"url":"https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d"},{"url":"https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640"},{"url":"https://linux.oracle.com/cve/CVE-2024-2511.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2511"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0013/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2511"},{"url":"https://www.openssl.org/news/secadv/20240408.txt"},{"url":"https://www.openssl.org/news/vulnerabilities.html"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.4-r6"},{"id":"117f0317db12a492e32e9f57a8be9f30354d3936","severity":"Low","location":{"dependency":{"package":{"name":"libcrypto3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-9143","value":"CVE-2024-9143","url":"http://www.openwall.com/lists/oss-security/2024/10/16/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/10/16/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/10/23/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/10/24/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-9143"},{"url":"https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712"},{"url":"https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700"},{"url":"https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4"},{"url":"https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9143"},{"url":"https://openssl-library.org/news/secadv/20241016.txt"},{"url":"https://security.netapp.com/advisory/ntap-20241101-0001/"},{"url":"https://ubuntu.com/security/notices/USN-7264-1"},{"url":"https://ubuntu.com/security/notices/USN-7278-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-9143"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcrypto3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates. Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds. Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libcrypto3 to 3.1.7-r1"},{"id":"d39d73e7456b5b30d69a2614c674870fc954d25a","severity":"High","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2398","value":"CVE-2024-2398","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/3"},{"url":"https://access.redhat.com/errata/RHSA-2024:5654"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2398"},{"url":"https://bugzilla.redhat.com/2270498"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270498"},{"url":"https://curl.se/docs/CVE-2024-2398.html"},{"url":"https://curl.se/docs/CVE-2024-2398.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2398"},{"url":"https://errata.almalinux.org/8/ALSA-2024-5654.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:5654"},{"url":"https://hackerone.com/reports/2402845"},{"url":"https://linux.oracle.com/cve/CVE-2024-2398.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-5654.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2398"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0009/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://ubuntu.com/security/notices/USN-6718-1"},{"url":"https://ubuntu.com/security/notices/USN-6718-2"},{"url":"https://ubuntu.com/security/notices/USN-6718-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2398"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.","solution":"Upgrade libcurl to 8.7.1-r0"},{"id":"b8d6d8c6323b1b1c58ebadaff87aa6b4d909fbb1","severity":"High","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6197","value":"CVE-2024-6197","url":"http://www.openwall.com/lists/oss-security/2024/07/24/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/5"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6197"},{"url":"https://curl.se/docs/CVE-2024-6197.html"},{"url":"https://curl.se/docs/CVE-2024-6197.json"},{"url":"https://hackerone.com/reports/2559516"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6197"},{"url":"https://security.netapp.com/advisory/ntap-20241129-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6197"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.","solution":"Upgrade libcurl to 8.9.0-r0"},{"id":"d651b0211be4b357d081f770e3566dec7608d91c","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-0853","value":"CVE-2024-0853","url":"https://access.redhat.com/security/cve/CVE-2024-0853"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2024-0853"},{"url":"https://curl.se/docs/CVE-2024-0853.html"},{"url":"https://curl.se/docs/CVE-2024-0853.json"},{"url":"https://hackerone.com/reports/2298922"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0853"},{"url":"https://security.netapp.com/advisory/ntap-20240307-0004/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0009/"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0012/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-0853"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.","solution":"Upgrade libcurl to 8.6.0-r0"},{"id":"34664a42469ed25c5a40a226951c7087b43fdd3b","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-11053","value":"CVE-2024-11053","url":"http://www.openwall.com/lists/oss-security/2024/12/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/12/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-11053"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294676"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2301888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318857"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318858"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318870"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318873"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318874"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318876"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318882"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318883"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318884"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318886"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318897"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318905"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318914"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318922"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318923"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318925"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318926"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318927"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331191"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339218"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339220"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339221"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339226"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339231"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339236"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339238"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339247"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339252"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339259"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339266"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339270"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339271"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339275"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339277"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339281"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339293"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339299"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339300"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339304"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339305"},{"url":"https://curl.se/docs/CVE-2024-11053.html"},{"url":"https://curl.se/docs/CVE-2024-11053.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21193"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21194"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21196"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21197"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21198"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21199"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21201"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21203"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21212"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21213"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21218"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21219"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21230"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21231"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21236"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21238"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21239"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21241"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21247"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37371"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21494"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21497"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21500"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21501"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21503"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21504"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21505"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21518"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21519"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21520"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21521"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21523"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21525"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21529"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21531"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21534"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21540"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21543"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21546"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21555"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21559"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:1671"},{"url":"https://hackerone.com/reports/2829063"},{"url":"https://linux.oracle.com/cve/CVE-2024-11053.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11053"},{"url":"https://security.netapp.com/advisory/ntap-20250124-0012/"},{"url":"https://security.netapp.com/advisory/ntap-20250131-0003/"},{"url":"https://security.netapp.com/advisory/ntap-20250131-0004/"},{"url":"https://ubuntu.com/security/notices/USN-7162-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-11053"},{"url":"https://www.oracle.com/security-alerts/cpujan2025.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password.","solution":"Upgrade libcurl to 8.11.1-r0"},{"id":"9998a7e355fd1234769759438ba350393f018c18","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2004","value":"CVE-2024-2004","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2004"},{"url":"https://curl.se/docs/CVE-2024-2004.html"},{"url":"https://curl.se/docs/CVE-2024-2004.json"},{"url":"https://hackerone.com/reports/2384833"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2004"},{"url":"https://security.netapp.com/advisory/ntap-20240524-0006/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://ubuntu.com/security/notices/USN-6718-1"},{"url":"https://ubuntu.com/security/notices/USN-6718-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2004"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.","solution":"Upgrade libcurl to 8.7.1-r0"},{"id":"1284ba8012d9f3c6543b6b07a02f0ab52c7ffc1b","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2379","value":"CVE-2024-2379","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2379"},{"url":"https://curl.se/docs/CVE-2024-2379.html"},{"url":"https://curl.se/docs/CVE-2024-2379.json"},{"url":"https://hackerone.com/reports/2410774"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2379"},{"url":"https://security.netapp.com/advisory/ntap-20240531-0001/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2379"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.","solution":"Upgrade libcurl to 8.7.1-r0"},{"id":"8cb736d74f44ce16cf4337c8b97bb685447f06f4","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2466","value":"CVE-2024-2466","url":"http://seclists.org/fulldisclosure/2024/Jul/18"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Jul/18"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/19"},{"url":"http://seclists.org/fulldisclosure/2024/Jul/20"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/27/4"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2466"},{"url":"https://curl.se/docs/CVE-2024-2466.html"},{"url":"https://curl.se/docs/CVE-2024-2466.json"},{"url":"https://hackerone.com/reports/2416725"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2466"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0010/"},{"url":"https://support.apple.com/kb/HT214118"},{"url":"https://support.apple.com/kb/HT214119"},{"url":"https://support.apple.com/kb/HT214120"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2466"},{"url":"https://www.vicarius.io/vsociety/posts/tls-certificate-check-bypass-curl-with-mbedtls-cve-2024-2466-2468"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).","solution":"Upgrade libcurl to 8.7.1-r0"},{"id":"66cf3c9ebff25954bd73b3e3d672276445bbc2e8","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6874","value":"CVE-2024-6874","url":"http://www.openwall.com/lists/oss-security/2024/07/24/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/24/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6874"},{"url":"https://curl.se/docs/CVE-2024-6874.html"},{"url":"https://curl.se/docs/CVE-2024-6874.json"},{"url":"https://hackerone.com/reports/2604391"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6874"},{"url":"https://security.netapp.com/advisory/ntap-20240822-0004/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6874"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string.","solution":"Upgrade libcurl to 8.9.0-r0"},{"id":"577de605df81b7a438dc121540195201cf6a2c50","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-7264","value":"CVE-2024-7264","url":"http://www.openwall.com/lists/oss-security/2024/07/31/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/07/31/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-7264"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294676"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2301888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318857"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318858"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318870"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318873"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318874"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318876"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318882"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318883"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318884"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318886"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318897"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318905"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318914"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318922"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318923"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318925"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318926"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318927"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331191"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339218"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339220"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339221"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339226"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339231"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339236"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339238"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339247"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339252"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339259"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339266"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339270"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339271"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339275"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339277"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339281"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339293"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339299"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339300"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339304"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2339305"},{"url":"https://curl.se/docs/CVE-2024-7264.html"},{"url":"https://curl.se/docs/CVE-2024-7264.json"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21193"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21194"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21196"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21197"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21198"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21199"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21201"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21203"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21212"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21213"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21218"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21219"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21230"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21231"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21236"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21238"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21239"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21241"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21247"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37371"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21494"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21497"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21500"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21501"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21503"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21504"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21505"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21518"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21519"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21520"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21521"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21523"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21525"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21529"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21531"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21534"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21540"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21543"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21546"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21555"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21559"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:1671"},{"url":"https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519"},{"url":"https://hackerone.com/reports/2629968"},{"url":"https://linux.oracle.com/cve/CVE-2024-7264.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-7264"},{"url":"https://security.netapp.com/advisory/ntap-20240828-0008/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0006/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0010/"},{"url":"https://ubuntu.com/security/notices/USN-6944-1"},{"url":"https://ubuntu.com/security/notices/USN-6944-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-7264"},{"url":"https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.","solution":"Upgrade libcurl to 8.9.1-r0"},{"id":"f22154e05e22617166ef0a9ea8f40c4108ea077e","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-8096","value":"CVE-2024-8096","url":"http://www.openwall.com/lists/oss-security/2024/09/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/09/11/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-8096"},{"url":"https://curl.se/docs/CVE-2024-8096.html"},{"url":"https://curl.se/docs/CVE-2024-8096.json"},{"url":"https://hackerone.com/reports/2669852"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8096"},{"url":"https://security.netapp.com/advisory/ntap-20241011-0005/"},{"url":"https://ubuntu.com/security/notices/USN-7012-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-8096"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.","solution":"Upgrade libcurl to 8.10.0-r0"},{"id":"3ae882d499103783b2db245be737de49124910e9","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-9681","value":"CVE-2024-9681","url":"http://seclists.org/fulldisclosure/2025/Apr/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2025/Apr/10"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/11"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/12"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/13"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/4"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/5"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/8"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/9"},{"url":"http://www.openwall.com/lists/oss-security/2024/11/06/2"},{"url":"https://access.redhat.com/security/cve/CVE-2024-9681"},{"url":"https://curl.se/docs/CVE-2024-9681.html"},{"url":"https://curl.se/docs/CVE-2024-9681.json"},{"url":"https://hackerone.com/reports/2764830"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9681"},{"url":"https://security.netapp.com/advisory/ntap-20241213-0006/"},{"url":"https://ubuntu.com/security/notices/USN-7104-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-9681"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.","solution":"Upgrade libcurl to 8.11.0-r0"},{"id":"649a796ffaa3521c8bcbb32e7d83859df6c50365","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0665","value":"CVE-2025-0665","url":"http://www.openwall.com/lists/oss-security/2025/02/05/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/5"},{"url":"https://access.redhat.com/security/cve/CVE-2025-0665"},{"url":"https://curl.se/docs/CVE-2025-0665.html"},{"url":"https://curl.se/docs/CVE-2025-0665.json"},{"url":"https://hackerone.com/reports/2954286"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0665"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0007/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0665"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libcurl would wrongly close the same eventfd file descriptor twice when taking\ndown a connection channel after having completed a threaded name resolve.","solution":"Upgrade libcurl to 8.12.0-r0"},{"id":"2923a58fd73531dfdaead94673d9611761fd19c9","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0725","value":"CVE-2025-0725","url":"http://www.openwall.com/lists/oss-security/2025/02/05/3"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/05/3"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/06/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/06/4"},{"url":"https://access.redhat.com/security/cve/CVE-2025-0725"},{"url":"https://curl.se/docs/CVE-2025-0725.html"},{"url":"https://curl.se/docs/CVE-2025-0725.json"},{"url":"https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7"},{"url":"https://hackerone.com/reports/2956023"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0725"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0009/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0725"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When libcurl is asked to perform automatic gzip decompression of\ncontent-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,\n**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would\nmake libcurl perform a buffer overflow.","solution":"Upgrade libcurl to 8.12.0-r0"},{"id":"39a57f176009cd2aaf8e9dc77011aab5c545f94c","severity":"Low","location":{"dependency":{"package":{"name":"libcurl"},"version":"8.5.0-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-0167","value":"CVE-2025-0167","url":"https://curl.se/docs/CVE-2025-0167.html"}],"links":[{"url":"https://curl.se/docs/CVE-2025-0167.html"},{"url":"https://curl.se/docs/CVE-2025-0167.json"},{"url":"https://hackerone.com/reports/2917232"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0167"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-0167"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libcurl:8.5.0-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"When asked to use a `.netrc` file for credentials **and** to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has a `default` entry that\nomits both login and password. A rare circumstance.","solution":"Upgrade libcurl to 8.12.0-r0"},{"id":"547fb99149c2b8e671e7fad73bd4bb6047c0eae8","severity":"Critical","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-45491","value":"CVE-2024-45491","url":"https://access.redhat.com/errata/RHSA-2024:8859"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:8859"},{"url":"https://access.redhat.com/security/cve/CVE-2024-45491"},{"url":"https://bugzilla.redhat.com/2308616"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308615"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308616"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308617"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45492"},{"url":"https://errata.almalinux.org/8/ALSA-2024-8859.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:6754"},{"url":"https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes"},{"url":"https://github.com/libexpat/libexpat/issues/888"},{"url":"https://github.com/libexpat/libexpat/pull/891"},{"url":"https://linux.oracle.com/cve/CVE-2024-45491.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-8859.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45491"},{"url":"https://security.netapp.com/advisory/ntap-20241018-0003/"},{"url":"https://ubuntu.com/security/notices/USN-7000-1"},{"url":"https://ubuntu.com/security/notices/USN-7000-2"},{"url":"https://ubuntu.com/security/notices/USN-7001-1"},{"url":"https://ubuntu.com/security/notices/USN-7001-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-45491"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).","solution":"Upgrade libexpat to 2.6.3-r0"},{"id":"57e581a2085ad7225fa78de6166aa115e82f3c61","severity":"Critical","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-45492","value":"CVE-2024-45492","url":"https://access.redhat.com/errata/RHSA-2024:6989"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:6989"},{"url":"https://access.redhat.com/security/cve/CVE-2024-45492"},{"url":"https://bugzilla.redhat.com/2308615"},{"url":"https://bugzilla.redhat.com/2308616"},{"url":"https://bugzilla.redhat.com/2308617"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308615"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308616"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308617"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45492"},{"url":"https://errata.almalinux.org/8/ALSA-2024-6989.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:6754"},{"url":"https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes"},{"url":"https://github.com/libexpat/libexpat/issues/889"},{"url":"https://github.com/libexpat/libexpat/pull/892"},{"url":"https://linux.oracle.com/cve/CVE-2024-45492.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-6989.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45492"},{"url":"https://security.netapp.com/advisory/ntap-20241018-0005/"},{"url":"https://ubuntu.com/security/notices/USN-7000-1"},{"url":"https://ubuntu.com/security/notices/USN-7000-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-45492"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).","solution":"Upgrade libexpat to 2.6.3-r0"},{"id":"e895b5d458f8cc6dbbc851bd3ff13f174c72cb3f","severity":"High","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-52425","value":"CVE-2023-52425","url":"http://www.openwall.com/lists/oss-security/2024/03/20/5"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/20/5"},{"url":"https://access.redhat.com/errata/RHSA-2024:4259"},{"url":"https://access.redhat.com/security/cve/CVE-2023-52425"},{"url":"https://bugzilla.redhat.com/2262877"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2262877"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425"},{"url":"https://errata.almalinux.org/8/ALSA-2024-4259.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:1615"},{"url":"https://github.com/libexpat/libexpat/pull/789"},{"url":"https://linux.oracle.com/cve/CVE-2023-52425.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-4259.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/04/msg00006.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52425"},{"url":"https://security.netapp.com/advisory/ntap-20240614-0003/"},{"url":"https://ubuntu.com/security/notices/USN-6694-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-52425"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.","solution":"Upgrade libexpat to 2.6.0-r0"},{"id":"690eb7f05624a80bd745a80b79143c80dacc2062","severity":"High","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-28757","value":"CVE-2024-28757","url":"http://www.openwall.com/lists/oss-security/2024/03/15/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/15/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:1530"},{"url":"https://access.redhat.com/security/cve/CVE-2024-28757"},{"url":"https://bugzilla.redhat.com/2262877"},{"url":"https://bugzilla.redhat.com/2268766"},{"url":"https://errata.almalinux.org/9/ALSA-2024-1530.html"},{"url":"https://github.com/libexpat/libexpat/issues/839"},{"url":"https://github.com/libexpat/libexpat/pull/842"},{"url":"https://linux.oracle.com/cve/CVE-2024-28757.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-1530.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28757"},{"url":"https://security.netapp.com/advisory/ntap-20240322-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6694-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-28757"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).","solution":"Upgrade libexpat to 2.6.2-r0"},{"id":"7b9213ab093fd24d382c5d99c2426bcf629ddea4","severity":"High","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-45490","value":"CVE-2024-45490","url":"http://seclists.org/fulldisclosure/2024/Dec/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2024/Dec/10"},{"url":"http://seclists.org/fulldisclosure/2024/Dec/12"},{"url":"http://seclists.org/fulldisclosure/2024/Dec/6"},{"url":"http://seclists.org/fulldisclosure/2024/Dec/7"},{"url":"http://seclists.org/fulldisclosure/2024/Dec/8"},{"url":"https://access.redhat.com/errata/RHSA-2024:6989"},{"url":"https://access.redhat.com/security/cve/CVE-2024-45490"},{"url":"https://bugzilla.redhat.com/2308615"},{"url":"https://bugzilla.redhat.com/2308616"},{"url":"https://bugzilla.redhat.com/2308617"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308615"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308616"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308617"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45491"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45492"},{"url":"https://errata.almalinux.org/8/ALSA-2024-6989.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:6754"},{"url":"https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes"},{"url":"https://github.com/libexpat/libexpat/issues/887"},{"url":"https://github.com/libexpat/libexpat/pull/890"},{"url":"https://linux.oracle.com/cve/CVE-2024-45490.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-6989.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45490"},{"url":"https://security.netapp.com/advisory/ntap-20241018-0004/"},{"url":"https://ubuntu.com/security/notices/USN-7000-1"},{"url":"https://ubuntu.com/security/notices/USN-7000-2"},{"url":"https://ubuntu.com/security/notices/USN-7001-1"},{"url":"https://ubuntu.com/security/notices/USN-7001-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-45490"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.","solution":"Upgrade libexpat to 2.6.3-r0"},{"id":"43ddac76a6a7f120e4590ba9740bbb905bc33efe","severity":"High","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-8176","value":"CVE-2024-8176","url":"http://seclists.org/fulldisclosure/2025/May/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2025/May/10"},{"url":"http://seclists.org/fulldisclosure/2025/May/11"},{"url":"http://seclists.org/fulldisclosure/2025/May/12"},{"url":"http://seclists.org/fulldisclosure/2025/May/6"},{"url":"http://seclists.org/fulldisclosure/2025/May/7"},{"url":"http://seclists.org/fulldisclosure/2025/May/8"},{"url":"http://www.openwall.com/lists/oss-security/2025/03/15/1"},{"url":"http://www.openwall.com/lists/oss-security/2025/09/24/11"},{"url":"https://access.redhat.com/errata/RHSA-2025:13681"},{"url":"https://access.redhat.com/errata/RHSA-2025:22033"},{"url":"https://access.redhat.com/errata/RHSA-2025:22034"},{"url":"https://access.redhat.com/errata/RHSA-2025:22035"},{"url":"https://access.redhat.com/errata/RHSA-2025:22607"},{"url":"https://access.redhat.com/errata/RHSA-2025:22785"},{"url":"https://access.redhat.com/errata/RHSA-2025:22842"},{"url":"https://access.redhat.com/errata/RHSA-2025:22871"},{"url":"https://access.redhat.com/errata/RHSA-2025:3531"},{"url":"https://access.redhat.com/errata/RHSA-2025:3734"},{"url":"https://access.redhat.com/errata/RHSA-2025:3913"},{"url":"https://access.redhat.com/errata/RHSA-2025:4048"},{"url":"https://access.redhat.com/errata/RHSA-2025:4446"},{"url":"https://access.redhat.com/errata/RHSA-2025:4447"},{"url":"https://access.redhat.com/errata/RHSA-2025:4448"},{"url":"https://access.redhat.com/errata/RHSA-2025:4449"},{"url":"https://access.redhat.com/errata/RHSA-2025:7444"},{"url":"https://access.redhat.com/errata/RHSA-2025:7512"},{"url":"https://access.redhat.com/errata/RHSA-2025:8385"},{"url":"https://access.redhat.com/security/cve/CVE-2024-8176"},{"url":"https://blog.hartwork.org/posts/expat-2-7-0-released/"},{"url":"https://bugzilla.redhat.com/2310137"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2310137"},{"url":"https://bugzilla.suse.com/show_bug.cgi?id=1239618"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8176"},{"url":"https://errata.almalinux.org/8/ALSA-2025-3913.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:7444"},{"url":"https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52"},{"url":"https://github.com/libexpat/libexpat/issues/893"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53"},{"url":"https://linux.oracle.com/cve/CVE-2024-8176.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-7512.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8176"},{"url":"https://security-tracker.debian.org/tracker/CVE-2024-8176"},{"url":"https://security.netapp.com/advisory/ntap-20250328-0009/"},{"url":"https://ubuntu.com/security/CVE-2024-8176"},{"url":"https://ubuntu.com/security/notices/USN-7424-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-8176"},{"url":"https://www.kb.cert.org/vuls/id/760160"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.","solution":"Upgrade libexpat to 2.7.0-r0"},{"id":"fcb02a144b5114b84325bf67518f4722afb0aa20","severity":"Medium","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-52426","value":"CVE-2023-52426","url":"https://access.redhat.com/security/cve/CVE-2023-52426"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-52426"},{"url":"https://cwe.mitre.org/data/definitions/776.html"},{"url":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404"},{"url":"https://github.com/libexpat/libexpat/pull/777"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52426"},{"url":"https://security.netapp.com/advisory/ntap-20240307-0005/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-52426"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.","solution":"Upgrade libexpat to 2.6.0-r0"},{"id":"09f0474aa1814e6bab58740173f968b561bef66c","severity":"Medium","location":{"dependency":{"package":{"name":"libexpat"},"version":"2.5.0-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-50602","value":"CVE-2024-50602","url":"https://access.redhat.com/errata/RHSA-2024:9502"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:9502"},{"url":"https://access.redhat.com/security/cve/CVE-2024-50602"},{"url":"https://bugzilla.redhat.com/2321987"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2321987"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50602"},{"url":"https://errata.almalinux.org/8/ALSA-2024-9502.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9502"},{"url":"https://github.com/libexpat/libexpat/pull/915"},{"url":"https://linux.oracle.com/cve/CVE-2024-50602.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9541.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00040.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50602"},{"url":"https://security.netapp.com/advisory/ntap-20250404-0008/"},{"url":"https://ubuntu.com/security/notices/USN-7145-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-50602"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libexpat:2.5.0-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.","solution":"Upgrade libexpat to 2.6.4-r0"},{"id":"25250cbf830f601410786876bbad7bfffe07913e","severity":"High","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-6119","value":"CVE-2024-6119","url":"http://www.openwall.com/lists/oss-security/2024/09/03/4"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/09/03/4"},{"url":"https://access.redhat.com/errata/RHSA-2024:8935"},{"url":"https://access.redhat.com/security/cve/CVE-2024-6119"},{"url":"https://bugzilla.redhat.com/2306158"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2306158"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6119"},{"url":"https://errata.almalinux.org/9/ALSA-2024-8935.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:6783"},{"url":"https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f"},{"url":"https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6"},{"url":"https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2"},{"url":"https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0"},{"url":"https://github.com/openssl/openssl/security/advisories/GHSA-5qrj-vq78-58fj"},{"url":"https://linux.oracle.com/cve/CVE-2024-6119.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-8935.html"},{"url":"https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6119"},{"url":"https://openssl-library.org/news/secadv/20240903.txt"},{"url":"https://security.netapp.com/advisory/ntap-20240912-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6986-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6119"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libssl3 to 3.1.7-r0"},{"id":"d13da69b8f9c5c43b89e895591387773d2c52566","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-6129","value":"CVE-2023-6129","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2023-6129"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35"},{"url":"https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04"},{"url":"https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015"},{"url":"https://linux.oracle.com/cve/CVE-2023-6129.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6129"},{"url":"https://security.netapp.com/advisory/ntap-20240216-0009/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0008/"},{"url":"https://security.netapp.com/advisory/ntap-20240426-0013/"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0011/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-6129"},{"url":"https://www.openssl.org/news/secadv/20240109.txt"},{"url":"https://www.openwall.com/lists/oss-security/2024/01/09/1"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.","solution":"Upgrade libssl3 to 3.1.4-r3"},{"id":"d9e510dd389520333b033627fedf2963e67bd73e","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-6237","value":"CVE-2023-6237","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2023-6237"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d"},{"url":"https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a"},{"url":"https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294"},{"url":"https://linux.oracle.com/cve/CVE-2023-6237.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6237"},{"url":"https://security.netapp.com/advisory/ntap-20240531-0007/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-6237"},{"url":"https://www.openssl.org/news/secadv/20240115.txt"},{"url":"https://www.openwall.com/lists/oss-security/2024/01/15/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","solution":"Upgrade libssl3 to 3.1.4-r4"},{"id":"369354a923a257eb975737209e307dc44d176727","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-0727","value":"CVE-2024-0727","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"url":"https://access.redhat.com/errata/RHSA-2024:9088"},{"url":"https://access.redhat.com/security/cve/CVE-2024-0727"},{"url":"https://bugzilla.redhat.com/2257571"},{"url":"https://bugzilla.redhat.com/2258502"},{"url":"https://bugzilla.redhat.com/2259944"},{"url":"https://bugzilla.redhat.com/2284243"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257571"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258502"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2259944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2284243"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1298"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9088.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9088"},{"url":"https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2"},{"url":"https://github.com/github/advisory-database/pull/3472"},{"url":"https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2"},{"url":"https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a"},{"url":"https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c"},{"url":"https://github.com/openssl/openssl/pull/23362"},{"url":"https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539"},{"url":"https://linux.oracle.com/cve/CVE-2024-0727.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9088.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0727"},{"url":"https://security.netapp.com/advisory/ntap-20240208-0006"},{"url":"https://security.netapp.com/advisory/ntap-20240208-0006/"},{"url":"https://ubuntu.com/security/notices/USN-6622-1"},{"url":"https://ubuntu.com/security/notices/USN-6632-1"},{"url":"https://ubuntu.com/security/notices/USN-6709-1"},{"url":"https://ubuntu.com/security/notices/USN-7018-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-0727"},{"url":"https://www.openssl.org/news/secadv/20240125.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libssl3 to 3.1.4-r5"},{"id":"0aaac507a6b68b7c4e07e802ed42e99625803421","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-13176","value":"CVE-2024-13176","url":"http://www.openwall.com/lists/oss-security/2025/01/20/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/01/20/2"},{"url":"https://access.redhat.com/errata/RHSA-2025:15699"},{"url":"https://access.redhat.com/security/cve/CVE-2024-13176"},{"url":"https://bugzilla.redhat.com/2359885"},{"url":"https://bugzilla.redhat.com/2359888"},{"url":"https://bugzilla.redhat.com/2359892"},{"url":"https://bugzilla.redhat.com/2359894"},{"url":"https://bugzilla.redhat.com/2359895"},{"url":"https://bugzilla.redhat.com/2359899"},{"url":"https://bugzilla.redhat.com/2359900"},{"url":"https://bugzilla.redhat.com/2359902"},{"url":"https://bugzilla.redhat.com/2359903"},{"url":"https://bugzilla.redhat.com/2359911"},{"url":"https://bugzilla.redhat.com/2359918"},{"url":"https://bugzilla.redhat.com/2359920"},{"url":"https://bugzilla.redhat.com/2359924"},{"url":"https://bugzilla.redhat.com/2359928"},{"url":"https://bugzilla.redhat.com/2359930"},{"url":"https://bugzilla.redhat.com/2359932"},{"url":"https://bugzilla.redhat.com/2359934"},{"url":"https://bugzilla.redhat.com/2359938"},{"url":"https://bugzilla.redhat.com/2359940"},{"url":"https://bugzilla.redhat.com/2359943"},{"url":"https://bugzilla.redhat.com/2359944"},{"url":"https://bugzilla.redhat.com/2359945"},{"url":"https://bugzilla.redhat.com/2359947"},{"url":"https://bugzilla.redhat.com/2359950"},{"url":"https://bugzilla.redhat.com/2359963"},{"url":"https://bugzilla.redhat.com/2359964"},{"url":"https://bugzilla.redhat.com/2359972"},{"url":"https://bugzilla.redhat.com/2370920"},{"url":"https://bugzilla.redhat.com/2380264"},{"url":"https://bugzilla.redhat.com/2380273"},{"url":"https://bugzilla.redhat.com/2380274"},{"url":"https://bugzilla.redhat.com/2380278"},{"url":"https://bugzilla.redhat.com/2380280"},{"url":"https://bugzilla.redhat.com/2380283"},{"url":"https://bugzilla.redhat.com/2380284"},{"url":"https://bugzilla.redhat.com/2380290"},{"url":"https://bugzilla.redhat.com/2380291"},{"url":"https://bugzilla.redhat.com/2380295"},{"url":"https://bugzilla.redhat.com/2380298"},{"url":"https://bugzilla.redhat.com/2380306"},{"url":"https://bugzilla.redhat.com/2380308"},{"url":"https://bugzilla.redhat.com/2380309"},{"url":"https://bugzilla.redhat.com/2380310"},{"url":"https://bugzilla.redhat.com/2380312"},{"url":"https://bugzilla.redhat.com/2380313"},{"url":"https://bugzilla.redhat.com/2380320"},{"url":"https://bugzilla.redhat.com/2380321"},{"url":"https://bugzilla.redhat.com/2380322"},{"url":"https://bugzilla.redhat.com/2380326"},{"url":"https://bugzilla.redhat.com/2380327"},{"url":"https://bugzilla.redhat.com/2380334"},{"url":"https://bugzilla.redhat.com/2380335"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2338999"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359885"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359888"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359892"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359894"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359895"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359899"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359900"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359902"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359903"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359911"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359918"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359920"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359924"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359928"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359930"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359932"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359934"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359938"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359940"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359943"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359944"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359945"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359947"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359950"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359963"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359964"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2359972"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2370920"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380264"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380273"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380274"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380278"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380280"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380283"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380284"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380290"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380291"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380295"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380298"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380306"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380308"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380309"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380310"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380312"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380313"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380320"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380321"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380322"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380326"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380327"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380334"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2380335"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21574"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21575"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21577"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21579"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21580"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21584"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21585"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21588"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30681"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30682"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30683"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30684"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30685"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30687"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30688"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30689"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30693"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30695"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30696"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30699"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30703"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30704"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30705"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30715"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30721"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30722"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50077"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50078"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50079"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50080"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50081"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50082"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50083"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50084"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50085"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50086"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50087"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50088"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50091"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50092"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50093"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50094"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50096"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50097"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50098"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50099"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50100"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50101"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50102"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50104"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5399"},{"url":"https://errata.almalinux.org/10/ALSA-2025-15699.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:15699"},{"url":"https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844"},{"url":"https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467"},{"url":"https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902"},{"url":"https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65"},{"url":"https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86"},{"url":"https://linux.oracle.com/cve/CVE-2024-13176.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-16046.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-13176"},{"url":"https://openssl-library.org/news/secadv/20250120.txt"},{"url":"https://security.netapp.com/advisory/ntap-20250124-0005/"},{"url":"https://security.netapp.com/advisory/ntap-20250418-0010/"},{"url":"https://security.netapp.com/advisory/ntap-20250502-0006/"},{"url":"https://ubuntu.com/security/notices/USN-7264-1"},{"url":"https://ubuntu.com/security/notices/USN-7278-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-13176"},{"url":"https://www.oracle.com/security-alerts/cpuapr2025.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: A timing side-channel which could potentially allow recovering\nthe private key exists in the ECDSA signature computation.\n\nImpact summary: A timing side-channel in ECDSA signature computations\ncould allow recovering the private key by an attacker. However, measuring\nthe timing would require either local access to the signing application or\na very fast network connection with low latency.\n\nThere is a timing signal of around 300 nanoseconds when the top word of\nthe inverted ECDSA nonce value is zero. This can happen with significant\nprobability only for some of the supported elliptic curves. In particular\nthe NIST P-521 curve is affected. To be able to measure this leak, the attacker\nprocess must either be located in the same physical computer or must\nhave a very fast network connection with low latency. For that reason\nthe severity of this vulnerability is Low.\n\nThe FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.","solution":"Upgrade libssl3 to 3.1.8-r0"},{"id":"a8e9d55682ead2614740e8d5490c3fed354f5929","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-4603","value":"CVE-2024-4603","url":"http://www.openwall.com/lists/oss-security/2024/05/16/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/05/16/2"},{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-4603"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397"},{"url":"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e"},{"url":"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d"},{"url":"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740"},{"url":"https://linux.oracle.com/cve/CVE-2024-4603.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4603"},{"url":"https://security.netapp.com/advisory/ntap-20240621-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-4603"},{"url":"https://www.openssl.org/news/secadv/20240516.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","solution":"Upgrade libssl3 to 3.1.5-r0"},{"id":"1e7fc72c7dd25eb29f8de55676c75ee556edbe92","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-4741","value":"CVE-2024-4741","url":"https://access.redhat.com/errata/RHSA-2024:9333"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-4741"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177"},{"url":"https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d"},{"url":"https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac"},{"url":"https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4"},{"url":"https://linux.oracle.com/cve/CVE-2024-4741.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4741"},{"url":"https://security.netapp.com/advisory/ntap-20240621-0004/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-4741"},{"url":"https://www.openssl.org/news/secadv/20240528.txt"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libssl3 to 3.1.6-r0"},{"id":"79499aee72330aee9f700cd3d1d038008305b7f6","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-5535","value":"CVE-2024-5535","url":"http://www.openwall.com/lists/oss-security/2024/06/27/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/06/27/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/06/28/4"},{"url":"http://www.openwall.com/lists/oss-security/2024/08/15/1"},{"url":"https://access.redhat.com/errata/RHSA-2025:1673"},{"url":"https://access.redhat.com/security/cve/CVE-2024-5535"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/2294676"},{"url":"https://bugzilla.redhat.com/2301888"},{"url":"https://bugzilla.redhat.com/2318857"},{"url":"https://bugzilla.redhat.com/2318858"},{"url":"https://bugzilla.redhat.com/2318870"},{"url":"https://bugzilla.redhat.com/2318873"},{"url":"https://bugzilla.redhat.com/2318874"},{"url":"https://bugzilla.redhat.com/2318876"},{"url":"https://bugzilla.redhat.com/2318882"},{"url":"https://bugzilla.redhat.com/2318883"},{"url":"https://bugzilla.redhat.com/2318884"},{"url":"https://bugzilla.redhat.com/2318885"},{"url":"https://bugzilla.redhat.com/2318886"},{"url":"https://bugzilla.redhat.com/2318897"},{"url":"https://bugzilla.redhat.com/2318900"},{"url":"https://bugzilla.redhat.com/2318905"},{"url":"https://bugzilla.redhat.com/2318914"},{"url":"https://bugzilla.redhat.com/2318922"},{"url":"https://bugzilla.redhat.com/2318923"},{"url":"https://bugzilla.redhat.com/2318925"},{"url":"https://bugzilla.redhat.com/2318926"},{"url":"https://bugzilla.redhat.com/2318927"},{"url":"https://bugzilla.redhat.com/2331191"},{"url":"https://bugzilla.redhat.com/2339218"},{"url":"https://bugzilla.redhat.com/2339220"},{"url":"https://bugzilla.redhat.com/2339221"},{"url":"https://bugzilla.redhat.com/2339226"},{"url":"https://bugzilla.redhat.com/2339231"},{"url":"https://bugzilla.redhat.com/2339236"},{"url":"https://bugzilla.redhat.com/2339238"},{"url":"https://bugzilla.redhat.com/2339243"},{"url":"https://bugzilla.redhat.com/2339247"},{"url":"https://bugzilla.redhat.com/2339252"},{"url":"https://bugzilla.redhat.com/2339259"},{"url":"https://bugzilla.redhat.com/2339266"},{"url":"https://bugzilla.redhat.com/2339270"},{"url":"https://bugzilla.redhat.com/2339271"},{"url":"https://bugzilla.redhat.com/2339275"},{"url":"https://bugzilla.redhat.com/2339277"},{"url":"https://bugzilla.redhat.com/2339281"},{"url":"https://bugzilla.redhat.com/2339284"},{"url":"https://bugzilla.redhat.com/2339291"},{"url":"https://bugzilla.redhat.com/2339293"},{"url":"https://bugzilla.redhat.com/2339295"},{"url":"https://bugzilla.redhat.com/2339299"},{"url":"https://bugzilla.redhat.com/2339300"},{"url":"https://bugzilla.redhat.com/2339304"},{"url":"https://bugzilla.redhat.com/2339305"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/8/ALSA-2025-1673.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37"},{"url":"https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e"},{"url":"https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c"},{"url":"https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87"},{"url":"https://linux.oracle.com/cve/CVE-2024-5535.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-1673.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5535"},{"url":"https://openssl.org/news/secadv/20240627.txt"},{"url":"https://security.netapp.com/advisory/ntap-20240712-0005/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0006/"},{"url":"https://security.netapp.com/advisory/ntap-20241025-0010/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-5535"},{"url":"https://www.openssl.org/news/secadv/20240627.txt"},{"url":"https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.","solution":"Upgrade libssl3 to 3.1.6-r0"},{"id":"c74df57c7ecfbfb0d599c93742831aac705b9a46","severity":"Low","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-2511","value":"CVE-2024-2511","url":"http://www.openwall.com/lists/oss-security/2024/04/08/5"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/04/08/5"},{"url":"https://access.redhat.com/errata/RHSA-2024:9333"},{"url":"https://access.redhat.com/security/cve/CVE-2024-2511"},{"url":"https://bugzilla.redhat.com/2274020"},{"url":"https://bugzilla.redhat.com/2281029"},{"url":"https://bugzilla.redhat.com/2283757"},{"url":"https://bugzilla.redhat.com/2294581"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274020"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2281029"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2283757"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2294581"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2511"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4603"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"},{"url":"https://errata.almalinux.org/9/ALSA-2024-9333.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:9333"},{"url":"https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce"},{"url":"https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d"},{"url":"https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640"},{"url":"https://linux.oracle.com/cve/CVE-2024-2511.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-9333.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2511"},{"url":"https://security.netapp.com/advisory/ntap-20240503-0013/"},{"url":"https://ubuntu.com/security/notices/USN-6937-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2511"},{"url":"https://www.openssl.org/news/secadv/20240408.txt"},{"url":"https://www.openssl.org/news/vulnerabilities.html"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.","solution":"Upgrade libssl3 to 3.1.4-r6"},{"id":"ffde906cff4c045892c2e15a910ab92a8758c54e","severity":"Low","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.1.4-r1"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-9143","value":"CVE-2024-9143","url":"http://www.openwall.com/lists/oss-security/2024/10/16/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2024/10/16/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/10/23/1"},{"url":"http://www.openwall.com/lists/oss-security/2024/10/24/1"},{"url":"https://access.redhat.com/security/cve/CVE-2024-9143"},{"url":"https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712"},{"url":"https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700"},{"url":"https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4"},{"url":"https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a"},{"url":"https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9143"},{"url":"https://openssl-library.org/news/secadv/20241016.txt"},{"url":"https://security.netapp.com/advisory/ntap-20241101-0001/"},{"url":"https://ubuntu.com/security/notices/USN-7264-1"},{"url":"https://ubuntu.com/security/notices/USN-7278-1"},{"url":"https://ubuntu.com/security/notices/USN-7894-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-9143"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libssl3:3.1.4-r1"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates. Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds. Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","solution":"Upgrade libssl3 to 3.1.7-r1"},{"id":"770f2fd5603ba40c00eace5948ab28be43b078b1","severity":"Critical","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-56171","value":"CVE-2024-56171","url":"http://seclists.org/fulldisclosure/2025/Apr/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2025/Apr/10"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/11"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/12"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/13"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/4"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/5"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/8"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/9"},{"url":"https://access.redhat.com/errata/RHSA-2025:2686"},{"url":"https://access.redhat.com/security/cve/CVE-2024-56171"},{"url":"https://bugzilla.redhat.com/2346416"},{"url":"https://bugzilla.redhat.com/2346421"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2346416"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2346421"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56171"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24928"},{"url":"https://errata.almalinux.org/8/ALSA-2025-2686.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:2679"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/828"},{"url":"https://linux.oracle.com/cve/CVE-2024-56171.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-2686.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56171"},{"url":"https://security.netapp.com/advisory/ntap-20250328-0010/"},{"url":"https://ubuntu.com/security/notices/USN-7302-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-56171"},{"url":"https://www.openwall.com/lists/oss-security/2025/02/18/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.","solution":"Upgrade libxml2 to 2.11.8-r1"},{"id":"68042168af0dca0263365abadde51fd1a34914ba","severity":"High","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-25062","value":"CVE-2024-25062","url":"https://access.redhat.com/errata/RHSA-2024:3626"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2024:3626"},{"url":"https://access.redhat.com/security/cve/CVE-2024-25062"},{"url":"https://bugzilla.redhat.com/2262726"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2262726"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062"},{"url":"https://errata.almalinux.org/8/ALSA-2024-3626.html"},{"url":"https://errata.rockylinux.org/RLSA-2024:2679"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/604"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/tags"},{"url":"https://linux.oracle.com/cve/CVE-2024-25062.html"},{"url":"https://linux.oracle.com/errata/ELSA-2024-3626.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25062"},{"url":"https://security.netapp.com/advisory/ntap-20241018-0009/"},{"url":"https://ubuntu.com/security/notices/USN-6658-1"},{"url":"https://ubuntu.com/security/notices/USN-6658-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-25062"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.","solution":"Upgrade libxml2 to 2.11.7-r0"},{"id":"d499587be7d1bb7be05e234f0ff86f8488a251e9","severity":"High","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-24928","value":"CVE-2025-24928","url":"https://access.redhat.com/errata/RHSA-2025:2686"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2025:2686"},{"url":"https://access.redhat.com/security/cve/CVE-2025-24928"},{"url":"https://bugzilla.redhat.com/2346416"},{"url":"https://bugzilla.redhat.com/2346421"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2346416"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2346421"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56171"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24928"},{"url":"https://errata.almalinux.org/8/ALSA-2025-2686.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:2679"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/847"},{"url":"https://issues.oss-fuzz.com/issues/392687022"},{"url":"https://linux.oracle.com/cve/CVE-2025-24928.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-2686.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24928"},{"url":"https://security.netapp.com/advisory/ntap-20250321-0006/"},{"url":"https://ubuntu.com/security/notices/USN-7302-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-24928"},{"url":"https://www.openwall.com/lists/oss-security/2025/02/18/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.","solution":"Upgrade libxml2 to 2.11.8-r1"},{"id":"d018dfa4a5fcb7973dc35b74bdb6418ddfbced56","severity":"High","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-27113","value":"CVE-2025-27113","url":"http://seclists.org/fulldisclosure/2025/Apr/10"}],"links":[{"url":"http://seclists.org/fulldisclosure/2025/Apr/10"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/11"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/12"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/13"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/4"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/5"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/8"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/9"},{"url":"https://access.redhat.com/security/cve/CVE-2025-27113"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/861"},{"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27113"},{"url":"https://security.netapp.com/advisory/ntap-20250306-0004/"},{"url":"https://ubuntu.com/security/notices/USN-7302-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-27113"},{"url":"https://www.openwall.com/lists/oss-security/2025/02/18/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.","solution":"Upgrade libxml2 to 2.11.8-r2"},{"id":"a277b38bd3f2e3106067a44c4ac18b3c5b497197","severity":"High","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-32414","value":"CVE-2025-32414","url":"https://access.redhat.com/errata/RHSA-2025:8958"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2025:8958"},{"url":"https://access.redhat.com/security/cve/CVE-2025-32414"},{"url":"https://bugzilla.redhat.com/2358121"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2358121"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2360768"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32414"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32415"},{"url":"https://errata.almalinux.org/8/ALSA-2025-8958.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:13428"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/889"},{"url":"https://linux.oracle.com/cve/CVE-2025-32414.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-8958.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00041.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32414"},{"url":"https://ubuntu.com/security/notices/USN-7467-1"},{"url":"https://ubuntu.com/security/notices/USN-7467-2"},{"url":"https://ubuntu.com/security/notices/USN-7896-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-32414"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.","solution":"Upgrade libxml2 to 2.11.8-r3"},{"id":"3f6eb868f8eb8c06ce60a39156ead4aa4ca4af37","severity":"High","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-32415","value":"CVE-2025-32415","url":"https://access.redhat.com/errata/RHSA-2025:13203"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2025:13203"},{"url":"https://access.redhat.com/security/cve/CVE-2025-32415"},{"url":"https://bugzilla.redhat.com/2360768"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2358121"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2360768"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32414"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32415"},{"url":"https://errata.almalinux.org/8/ALSA-2025-13203.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:13428"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/890"},{"url":"https://linux.oracle.com/cve/CVE-2025-32415.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-13789.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00041.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32415"},{"url":"https://ubuntu.com/security/notices/USN-7467-1"},{"url":"https://ubuntu.com/security/notices/USN-7467-2"},{"url":"https://ubuntu.com/security/notices/USN-7896-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-32415"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.","solution":"Upgrade libxml2 to 2.11.8-r3"},{"id":"5b0a279fc6ff9462287eb7f0788457c882f6957a","severity":"Medium","location":{"dependency":{"package":{"name":"libxml2"},"version":"2.11.6-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-34459","value":"CVE-2024-34459","url":"https://access.redhat.com/security/cve/CVE-2024-34459"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2024-34459"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/720"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8"},{"url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7"},{"url":"https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34459"},{"url":"https://ubuntu.com/security/notices/USN-7240-1"},{"url":"https://ubuntu.com/security/notices/USN-7302-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-34459"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxml2:2.11.6-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.","solution":"Upgrade libxml2 to 2.11.8-r0"},{"id":"68136e50d5710d006296246225227d20de3d6158","severity":"High","location":{"dependency":{"package":{"name":"libxslt"},"version":"1.1.38-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2024-55549","value":"CVE-2024-55549","url":"https://access.redhat.com/errata/RHSA-2025:3615"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2025:3615"},{"url":"https://access.redhat.com/security/cve/CVE-2024-55549"},{"url":"https://bugzilla.redhat.com/2352483"},{"url":"https://bugzilla.redhat.com/2352484"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2352484"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55549"},{"url":"https://errata.almalinux.org/8/ALSA-2025-3615.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:7410"},{"url":"https://gitlab.gnome.org/GNOME/libxslt/-/issues/127"},{"url":"https://linux.oracle.com/cve/CVE-2024-55549.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-7496.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55549"},{"url":"https://ubuntu.com/security/notices/USN-7357-1"},{"url":"https://ubuntu.com/security/notices/USN-7787-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-55549"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxslt:1.1.38-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.","solution":"Upgrade libxslt to 1.1.38-r1"},{"id":"fbaa4394f43593f3ed613b79b8b7fac77f6f902c","severity":"High","location":{"dependency":{"package":{"name":"libxslt"},"version":"1.1.38-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-24855","value":"CVE-2025-24855","url":"https://access.redhat.com/errata/RHSA-2025:3615"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2025:3615"},{"url":"https://access.redhat.com/security/cve/CVE-2025-24855"},{"url":"https://bugzilla.redhat.com/2352483"},{"url":"https://bugzilla.redhat.com/2352484"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2352483"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2352484"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55549"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24855"},{"url":"https://errata.almalinux.org/8/ALSA-2025-3615.html"},{"url":"https://errata.rockylinux.org/RLSA-2025:3615"},{"url":"https://gitlab.gnome.org/GNOME/libxslt/-/issues/128"},{"url":"https://linux.oracle.com/cve/CVE-2025-24855.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-7496.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24855"},{"url":"https://ubuntu.com/security/notices/USN-7361-1"},{"url":"https://ubuntu.com/security/notices/USN-7787-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-24855"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"libxslt:1.1.38-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.","solution":"Upgrade libxslt to 1.1.38-r1"},{"id":"a3836a81436528f73c7e04f1e6cd2f0df10646c6","severity":"High","location":{"dependency":{"package":{"name":"musl"},"version":"1.2.4-r2"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-26519","value":"CVE-2025-26519","url":"http://www.openwall.com/lists/oss-security/2025/02/13/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/3"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/4"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/5"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/14/5"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/14/6"},{"url":"https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da"},{"url":"https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659"},{"url":"https://www.openwall.com/lists/oss-security/2025/02/13/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"musl:1.2.4-r2"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.","solution":"Upgrade musl to 1.2.4-r3"},{"id":"61951b64ecb6c63256ac5386874dc83ab7a9759d","severity":"High","location":{"dependency":{"package":{"name":"musl-utils"},"version":"1.2.4-r2"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-26519","value":"CVE-2025-26519","url":"http://www.openwall.com/lists/oss-security/2025/02/13/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/3"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/4"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/13/5"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/14/5"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/14/6"},{"url":"https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da"},{"url":"https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659"},{"url":"https://www.openwall.com/lists/oss-security/2025/02/13/2"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"musl-utils:1.2.4-r2"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.","solution":"Upgrade musl-utils to 1.2.4-r3"},{"id":"ed55120ed6cd37c7ca2e6e5449a115758951735c","severity":"Medium","location":{"dependency":{"package":{"name":"ssl_client"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42363","value":"CVE-2023-42363","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090760.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42363"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15865"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42363"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42363"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"ssl_client:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.","solution":"Upgrade ssl_client to 1.36.1-r7"},{"id":"6b6b63bdae483cf23775256d58e380cb8f7c5fe7","severity":"Medium","location":{"dependency":{"package":{"name":"ssl_client"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42364","value":"CVE-2023-42364","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42364"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15868"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42364"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42364"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"ssl_client:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.","solution":"Upgrade ssl_client to 1.36.1-r7"},{"id":"974355308d8471604c166f98540bb57823afd19b","severity":"Medium","location":{"dependency":{"package":{"name":"ssl_client"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42365","value":"CVE-2023-42365","url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"}],"links":[{"url":"http://lists.busybox.net/pipermail/busybox/2024-May/090762.html"},{"url":"https://access.redhat.com/security/cve/CVE-2023-42365"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15871"},{"url":"https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42365"},{"url":"https://ubuntu.com/security/notices/USN-6961-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42365"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"ssl_client:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.","solution":"Upgrade ssl_client to 1.36.1-r7"},{"id":"e9abe975d3379d5186d91242f75b7a8474361f95","severity":"Medium","location":{"dependency":{"package":{"name":"ssl_client"},"version":"1.36.1-r5"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2023-42366","value":"CVE-2023-42366","url":"https://access.redhat.com/security/cve/CVE-2023-42366"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-42366"},{"url":"https://bugs.busybox.net/show_bug.cgi?id=15874"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42366"},{"url":"https://security.netapp.com/advisory/ntap-20241206-0007/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-42366"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"ssl_client:1.36.1-r5"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.","solution":"Upgrade ssl_client to 1.36.1-r6"},{"id":"7f139c5ce08721b76158de9b72b9832d86cd9cff","severity":"High","location":{"dependency":{"package":{"name":"xz-libs"},"version":"5.4.3-r0"},"operating_system":"alpine 3.18.5","image":"harbor.infra.nntc.pro/images/nntc-ui-kit:0.0.78-stabletest"},"identifiers":[{"type":"cve","name":"CVE-2025-31115","value":"CVE-2025-31115","url":"http://www.openwall.com/lists/oss-security/2025/04/03/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2025/04/03/1"},{"url":"http://www.openwall.com/lists/oss-security/2025/04/03/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/04/03/3"},{"url":"https://access.redhat.com/security/cve/CVE-2025-31115"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2357249"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31115"},{"url":"https://errata.rockylinux.org/RLSA-2025:7524"},{"url":"https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480"},{"url":"https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2"},{"url":"https://linux.oracle.com/cve/CVE-2025-31115.html"},{"url":"https://linux.oracle.com/errata/ELSA-2025-7524.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-31115"},{"url":"https://tukaani.org/xz/xz-cve-2025-31115.patch"},{"url":"https://ubuntu.com/security/notices/USN-7414-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-31115"}],"details":{"vulnerable_package":{"name":"Vulnerable Package","type":"text","value":"xz-libs:5.4.3-r0"},"vendor_status":{"name":"Vendor Status","type":"text","value":"fixed"}},"description":"XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.","solution":"Upgrade xz-libs to 5.4.3-r1"}],"remediations":[],"scan":{"scanner":{"id":"trivy","name":"Trivy","url":"https://github.com/aquasecurity/trivy/","vendor":{"name":"GitLab"},"version":"0.53.0"},"analyzer":{"id":"gcs","name":"GitLab Container Scanning","vendor":{"name":"GitLab"},"version":"6.7.9"},"type":"container_scanning","start_time":"2026-02-06T08:55:13","end_time":"2026-02-06T08:55:16","status":"success"},"version":"15.0.6"}