Trivy scan security vulnerabilities
During the trivy check of the entitlements-v0-27-1-gc-2:latest docker image we found some security vulnerabilities:
| Vulnerability ID | Affected libs | Severity | Description | Link | Source |
|---|---|---|---|---|---|
| CVE-2024-45491 | libexpat 2.6.2-r0 | CRITICAL | An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX) | https://avd.aquasec.com/nvd/2024/cve-2024-45491/ | alpine 3.17.7 |
| CVE-2024-45492 | libexpat 2.6.2-r0 | CRITICAL | An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX) | https://avd.aquasec.com/nvd/2024/cve-2024-45492/ | alpine 3.17.7 |
| CVE-2024-38821 | org.springframework.security:spring-security-web (app.jar) | CRITICAL | Spring-WebFlux: Authorization Bypass of Static Resources in WebFlux Applications | https://avd.aquasec.com/nvd/2024/cve-2024-38821/ | Java (jar) |
| CVE-2024-6197 | curl,libcurl 8.7.1-r0 | HIGH | libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. | https://avd.aquasec.com/nvd/2024/cve-2024-6197/ | alpine 3.17.7 |
| CVE-2024-45490 | libexpat 2.6.2-r0 | HIGH | An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer | https://avd.aquasec.com/nvd/2024/cve-2024-45490/ | alpine 3.17.7 |
| CVE-2020-36518 | HIGH | jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. | https://avd.aquasec.com/nvd/2020/cve-2020-36518/ | Java (jar) | |
| CVE-2021-46877 | HIGH | ackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. | https://avd.aquasec.com/nvd/2021/cve-2021-46877/ | Java (jar) | |
| CVE-2022-42003 | HIGH | In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled." | https://avd.aquasec.com/nvd/2022/cve-2022-42003/ | Java (jar) | |
| CVE-2022-42004 | HIGH | In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. | https://avd.aquasec.com/nvd/2022/cve-2022-42004/ | Java (jar) | |
| CVE-2024-47535 | io.netty:netty-common 4.1.109.Final (applicationinsights-agent.jar), io.netty:netty-common 4.1.111.Final (app.jar) | HIGH | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115. | https://avd.aquasec.com/nvd/2024/cve-2024-47535/ | Java (jar) |
| CVE-2024-38816 | org.springframework:spring-webmvc 6.1.10 (app.jar) | HIGH | spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource | https://avd.aquasec.com/nvd/2024/cve-2024-38816/ | Java (jar) |
Edited by Oleksandr Stetskiv-SLB